ANALYTIC PROBLEMS FOR ELLIPTIC CURVES 



E. KOWALSKI 



Abstract. We consider some problems of analytic number theory for elliptic curves which can 
be considered as analogues of classical questions around the distribution of primes in arithmetic 
progressions to large moduli, and to the question of twin primes. This leads to some local results 
on the distribution of the group structures of elliptic curves defined over a prime finite field, 
exhibiting an interesting dichotomy for the occurence of the possible groups. (This paper was 
initially written in 2000/01, but after a four year wait for a referee report, it is now withdrawn 
and deposited in the arXiv). 



Contents 



Introduction! 



Some local invariants for elliptic curved 
Totally split primed 



Elliptic twins 
Curves with complex multiplication! 



Local study of totally split primes! 
Numerical exampled 



Conclusio 



Reference; 



1 

3 
7 
20 
25 
41 
57 
63 
64 



1. Introduction 

This paper introduces and discusses some problems of analytic number theory which are 
related to the arithmetic of elliptic curves over number fields. One can see them as analogues 
of some very classical problems about the distribution of prime numbers, especially primes in 
arithmetic progressions to large moduli. The motivation comes both from these analogies and 
from the conjecture of Birch and Swinnerton-Dyer. 

To explain this, consider an elliptic curve E defined over Q, given by a (minimal) Weierstrass 
equation ([SHU VII- 1]) 



(1.1) 



y +a 1 xy + a 3 y 



with a, 6 Z. For all primes p we can consider the reduced curve E p modulo p, which for almost 
all p will be an elliptic curve over the finite field F p = Z/pZ. We wish to study the behavior of 
sums of the type 



(1.2) 



as X — > +oo, where le{p) 1S some invariant attached to the reduced curve E p and to its finite 
group of Fp-rational points in particular. For example, taking 

\E P (F P )\ 



P 
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one gets the sum 

E \ e p( f p)\ 
V 

which should be related to the behavior of the logarithmic derivative of the Hasse-Weil zeta 
function of E at s = 1, and so conjecturally to a global invariant of E/Q, the rank of its 
Mordell-Weil group E(Q). 

We wish to consider other sums of type (|l,2j) which are natural from the point of view of 
analytic number theory. The hope is to get precise enough asymptotics where global invariants 
of E would enter, to gain an understanding of the local-global principles which the Birch and 
Swinnerton-Dyer conjecture postulates. 

The plan of this paper is as follows: in the first section we state basic facts on elliptic curves 
that we'll use and introduce some natural invariants ie{p)- In Section |21 we show how the 
study of the sum (|1.2|) for one of them brings about questions involving the equidistribution of 
Frobenius elements (in the extensions of Q generated by the torsion points of E) to uniform 
and large moduli, especially on totally split primes in such extensions. We analyze this problem 
on GRH and discuss the new difficulties which arise in comparison with the case of primes in 
arithmetic progressions. There are several remarks here which may be of interest. One of the 
new phenomenon (primes splitting completely in fields generated by d torsion points with d very 
large) leads us to a notion of elliptic twins, analogues of the classical twin primes that we again 
discuss in general terms. At long last, non-trivial results are obtained in the next two sections: 
for CM curves, in Section sieve techniques in quadratic fields can be usefully applied, and in 
Section El the subject of totally split primes is viewed from a different angle: now, given a prime 
p, and d ^ 1, we ask whether or not there exists some curve E with p totally split in Q(E[d]). 
This is done in two ways, adapting results of Deuring, Waterhouse, Schoof, and using the trace 
formula and modular curves. Finally, since the problems are amenable to experimentation, we 
present in Section some numerical data and further remarks. 

Most of the results presented here are not very strong and the overall situation remains rather 
unsatisfactory. The excuse for this is that the problems seem genuinely difficult. On the other 
hand, to the author at least, their interest is very obvious. 

Notation. The symbols OQ and o() are used in the sense of (for example) Bourbaki, so 
f(x) = 0(g(x)) as x — > xq means that for x in some neighborhood U of xq we have \f(x)\ ^ 
Cg(x) for some C (depending on U). On the other hand / <C g is used in the sense that 
there exists C ^ such that for all x (in some set to be described explicitly or implicitly) we 
have \ f{x)\ ^ Cg(x). The dependence of C on other parameters is indicated by subscripts <C £ , 
etc. 

For notational convenience 1 it is sometimes useful to use another symbol 0() such that 
/ = 0(g) is equivalent to / <C g. 

It will be convenient in a number of places to use the following notation: for every real 
number x, we let 

(1.3) x- = {Vx~-l) 2 , x + = (^x~+lf. 

(defined for x ^ 1, x ^ — 1, respectively). Note that 

(x + )~ = (x _ ) + = x, and x + — x~ = 4y/x. 

Notice (2005). Up to some updates of the numerical data and typographical corrections, 
this is the version of this text that was submitted to the Transactions of the A.M.S on Oct. 10, 
2001. After four years of wait, I have withdrawn the paper to put it on arXiv instead. The 
lengthy delay means that the bibliography is not quite up to date; in particular, some papers 
of A. Cojocaru (including collaborations with W. Duke, R. Murty) are somewhat related to the 

^Many papers in analytic number theory actually use the notation 0() in this sense, and correspondingly 
speak of "hidden constants", as for <C. 
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topics presented here, see Math. Ann. 329 (2004), 531-534; Math. Ann. 330 (2004), 601-625; 
and Trans. A.M.S 355 (2003), 2651-2662 for instance. 



2. Some local invariants for elliptic curves 

In this section we want to define some of the invariants that are of interest. First we recall 
some important facts about elliptic curves. 

2.1. Elliptic curves. Let E/K be an elliptic curve defined over a field K. We will mostly 
use "old-fashioned" language, identifying E with its set of K- valued points, where K is a fixed 
algebraic closure of K. 

The endomorphism ring of E over K is denoted by End(-E'), and the endomorphism ring of E 
over K by End^-(-E). The ring End(.E) contains the subring Z corresponding to the morphisms 
x i — ^ tlx for n £ Z. When End(-E7) is strictly bigger than Z, the curve is said to be CM, or to 
have complex multiplication. 

To any tp £ Knd(E) is associated its dual Tp £ End(-E) with the property that tpolp = Tpotp = 
[deg(c^)], the multiplication by the degree of tp, as a morphism of algebraic curves ( |Si-l| III-6] ) . 

The various possibilities for End(-E) have been studied extensively by Deuring |Dej . We are 
concerned with two cases. Let O = End(.E). 

• If K is a finite field, E is always CM, and O is either an order in an imaginary quadratic 
field, in which case E is said to be ordinary, or an order in a quaternion algebra, in 
which case E is said to be supersingular (see |Si-l| V-3]). There are only finitely many 
j-invariants j € K corresponding to supersingular curves, all of degree ^ 2 over the 
prime field. 

• If K is a number field, either O = Z or O is an order in an imaginary quadratic field. In 
this case j(E) is an algebraic integer. For fixed K, there are only finitely many possible 
values of j £ K for which an elliptic curve over K with j(E) = j has CM (see |Si-21 II], 
and for instance |Si-2l App. A-3] for a list of all CM curves over Q). The dual of an 
endomorphism a is its (unique) conjugate over Q. 

Let E/K be an elliptic curve defined over a field K. For every integer d ^ 1, the d-torsion 
points of E form (depending on the point of view) either a finite subgroup or a finite subgroup 
scheme of E, denoted either E[d] or E[d](K) depending on the emphasis. 

The structure of this group depends on the characteristic p of K and is given as follows ( |Si-ll 
III-6.4]): 

• If d\ and d 2 are coprime, then 

E[d 1 d 2 ]{K) = E[d!]{K) E[d 2 ](K). 

• If (d,p) = 1 (in particular, if K is of characteristic 0), we have 

E[d](K) ~ Z/dZeZ/dZ. 

• If K is a finite field, d = p v with v ^ 1 and E is ordinary, then 

E[d](K) ~ Z/dZ. 

• If K is a finite field, d = p v with v ^ 1 and E is supersingular, then 

E[d](K) = 0. 

In any case, E[d] is a finite (and free) Z/dZ-module, and the natural action of the Galois 
group Gk = Gal(K/K) induces a Galois representation 

p d (E) : G K — » Aut(£[d]). 

Assume now that (d,p) = 1, then by choosing a basis we get 2-dimensional representations, 
well-defined up to conjugacy 

Pd (E) : Gk — > GL(2, Z/dZ). 
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Those are compatible, meaning that if e | d, then we have 

Pe {E)= Pd {E) (mode) 

with obvious notations. In particular, taking a prime £ ^ p and d = £ v for all v ^ 0, we obtain 
a projective system of representations into GL(2,Z/£ V Z) which can be put together into an 
integral £-adic representation 

pi : G K — GL(2,Z<). 
Let now if = Fq be a finite field with g elements, of characteristic p (this will be a standing 
convention). The group of Fg-rational points on E is finite. We write 

n(E) = \E(F g )\ 

for its order. The most important invariant of E/F q is the integer a{E) such that 

(2.1) n(E) = \E(F q )\ = q + l — a(E). 

One knows that a(E) characterizes the isogeny class of E over K (see |Si-ll Ex. 5.4]). Moreover, 
E is supersingular if and only if p \ a(E). In case q = p, this is equivalent with a(E) = 
(see (jUSJ)), so there is a unique isogeny class of supersingular curves defined over the base field 
F p . 

The integer a(E) is also linked to End(-E'). The Frobenius automorphism a : x *— > x q of F q 
is an element of End(-E). We have f |Si-l[ V]) 

(2.2) a(E) = Tr(cr) = a + a 

(2.3) n(E)=N(a-l) = (a-l)(a-l). 

For any integer d with (d,p) = 1, a{E) is further related to the Galois representation pd{E) 
(EtHV])by 

(2.4) det(p d (a)) = q(modd) and Tr(p d (a)) = a(E) (mod d). 
Hence the £-adic representation pi satisfies the fundamental property 

(2.5) det(p e (a))=q and Tr{p £ (a)) = a{E). 

Hasse proved (the Riemann Hypothesis for elliptic curves over finite fields, see |Si-ll V-l.l]) 
that 

(2.6) \a(E)\ ^ 

If K is a number field, then for any prime ideal p of K where E has good reduction, the 
above theory applies to the reduced curve Ep modulo p. For instance, the Galois representation 
pl{E) (for any I not dividing p) satisfies 

(2.7) det( Pe {a p )) = Np and Tr(p e {a p )) = a p (E) 

where a p is a Frobenius element at p and a p = a{E p ). 

For an elliptic curve E/K, and an integer d ^ 1, we let K{E[d\) denote the finite extension 
of K obtained by adjoining the coordinates of the d-torsion points of E, or in other words 
the smallest extension L/K such that E[d](K) C E(L). This is a Galois extension and in 
fact K(E[d]) is the extension of K corresponding to the closed subgroup ker(p^) of Gk, i-e. 
K(E[d]) = K kev P d , so that there is a canonical isomorphism 

(2.8) Gal{K{E[d])/K) -Im^C Aut(£[d]). 

We will denote G d = Gal(K (E[d\) / K) when E and K are clear in the context. 
In the case d = 2, and K of characteristic ^ 2, if E/K is given by an equation 

y 2 = fix) 

for some cubic polynomial / 6 the 2-division points of E are the origin, and the points 

(a, 0) where a runs over the three distinct roots of E in K. In particular, E[2] C E{K) if and 
only if / splits into linear factors in -fCpT]. 
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We let [i d denote the group (scheme) of the d-th roots of unity. It is known ( |Si-ll III-8. 11] ) 
that K(fi d ) C K(E[d\) where K(/j, d ) is the field obtained by adjoining all d-th. roots of unity to 
K. In the case of number fields (resp. finite fields), this can be seen from (|2.7[) (resp. (|2.4|) ): the 
determinant condition implies that primes totally split in K(E[d]) are totally split in K(fi d ), 
which implies that K{E[d]) contains K(fi d ) (see e.g. |Nel V-6.8]). 

If K is a number field and p is a prime ideal in K where E has good reduction, the residue field 
extension of K(E[d]) at p is isomorphic to Fp(Ep[d]). Indeed the reduction map E[d](Kp) — > 
E p (Fp) is surjective (see e.g. |Si-l| VII-3.1] if (d, p) = 1, which will be the case we need, and 
adapt |Si-l| Ex. IV-4.4] for the general case). 

In this case of a number field, the Galois groups Gd are known "up to finite index" . 

Theorem 2.1. Let K be a number field, E/K an elliptic curve. Then 

1. (Deuring, see jSe-lL 4.5]) If E has complex multiplication and O = End^-(-E'), with O C K , 
then pd induces a group homomorphism 

Pd ■ Gk — ► (0/dO) x 

with the property that as d ranges over all integers d ^ 1, the index of Gd in the finite group 
(OfdO) x is bounded by a constant i{E). 2 

2. (Serre |Se-lj ) If E does not have complex multiplication, then the index of Gd in the finite 
group Aut(i5[(i]) ~ GL(2,Z/dZ) is bounded by a constant i(E). 

Note that 

(2.9) \GL(2, Z/dZ)\ = d^(d)ip(d) 2 
where <f> is Euler's function and 

(2.10) v^)=^n( i+ ")- 

P \d p 

Since O is not a Dedekind ring in general, hence does not have unique factorization into ideals, 
the order of (OfdO) x is not a multiplicative function of d. If O is the full ring of integers of its 
fraction field k, or if d is coprime with the discriminant of O, then \{0/dO) x \ is the analogue 
of the Euler function for ideals in k: 

(2.H) \(o/dor\ = d 2 n (i-^-). 

pM 

Informally, we say that in the CM case, \Gd\ is of order of magnitude d 2 , and in the non-CM 
case, \Gd\ is of order of magnitude d 4 . This difference will be important later on so we define 
the Galois dimension g = g{E) of E to be 2 if E has CM and 4 if not (it is the dimension of 
the £-adic Lie group lm(p£(GK)) C GL(2, Zp), or of its Lie algebra for I large enough |Se-4j ) . 

2.2. Local invariants. First we describe the group structure of the rational points of an elliptic 
curve defined over a finite field. This is well known. 

Lemma 2.2. Let E/F q be an elliptic curve defined over a finite field with q elements. There 
exist unique integers d\ and efo such that 

(2.12) E(F q ) ~ Z/diZ © Z/did 2 Z. 

Proof. The group E{F q ) is finite, hence of finite exponent, so for some O 1 we have 

E(F q ) C E[d](F q ). 

As we recalled in Section al! the group on the right has a system of generators with at most two 
elements. By the structure theorem of finite abelian groups, the same is true for any subgroup, 
and they are all of the form stated. □ 



If K does not contain the endomorphism ring, Gd is at most an extension of {0/dO) K by Z/2Z. 

5 



The integers d\, di are very interesting invariants of E. We will denote them by d\{E) (resp. 
d2(E)) or di(p) (resp. (^(p)) when E is obtained by reducing a curve over a number field 
modulo a prime ideal p. 

Lemma 2.3. Let E/F q be an elliptic curve over a finite field with q elements. Then 

(1) We have 

d x = di{E) = max{d > 1 | (d,p) = l and E[d](F q ) C E(F q )} 

i.e d\{E) is the largest integer d prime to p for which all of the d-torsion is rational over F q . 
The max can be taken with respect to the order by divisibility or the "linear" order on Z. 

(2) We have 

d 1 (E) 2 d 2 (E) = n(E) =q+l- a(E). 

(3) We have 

q + 1 - a(E) = 0(modd 2 ), q = l(modd 1 ), a{E) = 2 (mod di). 

(4) We have 

(2.13) + 
(see for the definition). 

Proof. All this is easy from the structure of the (i-torsion points. For (1), observe that the finite 
abelian group 

Z/diZ Z/did 2 Z 

contains d\ points of order d\, namely Z/diZ © d-^Lj 'did^L. Since it is known a priori that 
E(F q ) contains at most d 2 points of order d for any d ^ 1, all the di-torsion is F^-rational. 
Moreover, if there exists d > d\ for which E[d](F q ) C E(F q ), we can write d = d\d' for some 
d! > 1. Then d! must be of the form d' = p v for some v ^ 1, since otherwise there would be 
e 2 points of order e which are F q -rational, for some e > d, which the group structure (|2.12|) 
forbids. 

The second point is obvious, and gives the first congruence in (3), while (|2.4j) gives the other 
congruences. 

For (t2~T3l . since d\ \ q + 1 - a{E), and q + 1 - a(E) > 0, it follows that d\ ^ q + 1 - a(E) ^ 
(^g + 1) 2 by (El). □ 

Remark 2.4. The congruence n(S) = (mode? 2 ) can also be obtained from the Galois represen- 
tations without referring to the points of the elliptic curve: let 7 = p(o~) G GL(2, Z/d 2 Z). We 
know that 7 = 1 (mod <ii) by definition. Now writing 7 = 1 + dij' and expanding the trace and 
determinant, we obtain using (|2,4j) (both for d = d\ and d = d\) 

2 + dTr(7 ; ) = a(£) (modci 2 ), l + dTrfV) =p(modd 2 ). 

Then observe that Tr(7') = a(S) (moddi) and subtract to get 1 = a — p(modd 2 ). (This remark 
is due to N. Katz). 

Remark 2.5. If q = p ^ 3 the condition (d,p) = 1 in the characterization (1) of d\ can be omitted 
unless either E is supersingular or a(E) = 1. In the first case, of course, = E[p n ] C E(F p ) for 
all n ^ 1, while in the second case we have |-E(F p )| = p so i?(F p ) is cyclic of order p and must 
equal E[p\. Conversely, for E ordinary, if d = p n e with (e,p) = 1 and E[d] C E(F p ), we get 
p n e 2 \ p + 1 — a(E) and by the Riemann Hypothesis (|2.6|) it follows immediately that n = e = 1. 

Note that curves with a(E) = 1 (modp) occur in other contexts. If E arises by reduction 
modulo p of a curve over Q, the prime p is called anomalous |Maj . When p ^ 7, a{E) = 1 is 
the same as a(E) = 1 (modp), so those curves, and the supersingular curves, form two isogeny 
classes of curves over F„. 



The next lemma is equally simple. 
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Lemma 2.6. Let E/F q be an elliptic curve defined over a finite field and d ^ 1 an integer with 
(d,p) = 1. Then E[d] C E(F q ) if and only if a = 1 (mode?) in Knd(E), where a is the Frobenius 
endomorphism of E. 

Proof. Let K = End(i^) (g>z Q, which is either a quadratic field or a quaternion algebra over Q, 
and let a' = (a — l)/d G K. The congruence in the statement of the Lemma means a' G End(-ET); 
since d is central in K, there is no ambiguity in the side on which d" 1 is put in the definition 
of a'. 

Now if a' G End(-E), we have a = 1 + da', so for any x G £7[d] it follows that o~(x) — a; = 
a'(dx) = 0, hence :r is F g -rational. Conversely, if E[d] C E(F q ), the F g -isogeny (/> = a— 1 of £7 
satisfies ker(d) C ker(0); since (d,p) = 1, multiplication by d is separable, hence f |Si-ll III-4. 11] ) 
(j) factorizes by d : E — > E, which means a = 1 (modfi). □ 

Here is the global interpretation of d\. 

Lemma 2.7. Let E/K be an elliptic curve over a number field, p a prime ideal such that E has 
good reduction modulo p. For any integer d ^ 1, we have d \ d\(Ep) if and only if p is totally 
split in the field K{E[d\). 

Proof. Both statements imply that (d,p) = 1: this is by definition for d\ and because if p is 
totally split, it is unramified in K(E[d]), hence in K(fi d ), which implies iV"p = 1 (modd). 

We know that the residue field extension of K(E[d]) at p is F p (Ep[d]). If p is totally split, 
this extension is trivial, so all the <i-torsion is rational, i.e. d \ di(E p ). 

Conversely, if d \ di(Ep), the condition (d,p) = 1 implies that p is unramified in K{E[d]) 
( |Si-l| 4.1]). Then the residue field extension being trivial means that p is totally split. □ 



3. Totally split primes 

3.1. The splitting problem for elliptic curves. Let E/K be an elliptic curve over a number 
field. Apart from the number of points Np + 1 — ap{E) on E modulo a prime ideal, one of the 
most natural invariant to insert in a sum ()1.2|) is i(p) = d\(p). Thus we define for X ^ 1 

(3.1) S E {X;d l )= Y, MP) 

Np^X 

where as before d±(p) = d\{Ep) (we define, rather arbitrarily, d\{p) = for ramified primes). 

Problem 3.1. What is the asymptotic behavior of Se(X; di) as X — > +oo ? 

Because of the following link with primes totally split in division fields of E, we call this the 
elliptic splitting problem for E. 

Lemma 3.2. Let E/K be an elliptic curve over a number field. We have 

(3.2) S E {X-d l )= Yl <p(d)Tr E (X;d,l) 

for X ^ 1, where 

(3.3) 7T E (X;d, 1) = |{p | Np ^ X, and p is totally split in K(E[d])}\. 
Proof. Using the convolution formula 

n = Y <^ a ) 

ab=n 
7 



and (|2.13j) . we have 

S E (X;d 1 )= d i(P) 

Np^X 

= E E *w 
= E E 1 

cfsCv^+l Np^X 
d\d!(p) 

= <p(d)nE(X;d,l), bv Lemma 12.71 

d^Vx+i 

□ 

Remark 3.3. This lemma shows that the elliptic splitting problem is quite analogous to the 
classical Titchmarsh divisor problem (first considered in |Ti-lj ) which concerns the asymptotic 
behavior of the sum 

S(X,d) = £d(p-l) 

p^X 

where d(n) is the number of (> 0) divisors of n. This was solved by Linnik 3 (see (Llj): 
Theorem 3.4. (Linnik) We have 

(3.4) S{X,d)~cx with c = (l + -^ j = = 1-943596. . . 

as X -> +oo. 

Linnik proved this by a very difficult argument using the dispersion method, although now it 
is easy to derive from the Bombieri- Vinogradov theorem and the Brun-Titchmarsh theorem (see 
e.g. |HEI §3.5]; we will essentially redo this argument later on). Although this will not matter 
here, we mention that Bombieri, Friedlander, Iwaniec |BFIj and independently Fouvry |Fouj . 
have proved a more precise formula, with a second term of magnitude X/logX, using their 
deep results about primes in arithmetic progressions to moduli d > yX. 

The first step in this proof is to write 



din) = 1 



ab=n 



v-^ I 1 if n is a square, 

(3.5) = 2 y 1 + < (Dinchlet s divisor-switchmg trick) 

otherwise 

d\n \ 

d<^/n 

which leads immediately to 

S(X,d) = J]7r(X;d,l) 

(3.6) = 2 E {AX;d,l) -ir(d 2 + l;d,l)) +VX + 0(1). 

d<\/X 

where for any integer a, ir(X;d,a) is the classical counting function for primes p = a(modd). 
By the elementary theory of cyclotomic fields, this is also the number of primes p ^ X such 
that the Frobenius at p acts on d-th roots of unity by ( i— » £ a , so that ir(X; d, 1) is the number 
of p ^ X totally split in the cyclotomic field generated by d-th roots of unity. 

Theorem I3.4| via the formula (|3.6j) . will actually be used in Section reinforcing the connec- 
tion between this classical result and Problem l3.ll We may also remark that another connection 

^Titchmarsh had shown the result on the Riemann Hypothesis (see also below) . 



arises if one interprets d(p— 1) as the number of subgroups of the cyclic group (Z/pZ) x . Indeed, 
the number of subgroups of the finite abelian group Ep(F p ) with 

E 9 (F P ) ~ Z/d x Z®Z/d 1 d 2 Z 

is "essentially" dominated by d\ (see Birkhoff 's description of the subgroups of a finite abelian 
group, [El Th. 8.1], or [C-21 4.1.10]), so S^pfjdi) is closely related to the sum 

where T(p) is the number of subgroups of E?p(F p ). The analogy between S(X, d) and S E (X) d\) 
seems however deeper using the Galois-theoretic interpretation. 

More generally, for C C GL(2, Z/dZ) a set of conjugacy classes, we will let 

(3.7) TT E (X;d,C) = \{P I Np^X, and a p (modd) £ C}\. 

It is also convenient in many situations to weigh primes by logp, so we define also 4 

(3.8) e E (X;d,C) = l °S N P- 

Np^X 

Since we deal with all fields K(E[d\) at the same time, we use the shorthand notation <7 P (mod d) 
to denote a Frobenius element at p for the field K(E[d\), so <t p G Gd', by convention, writing 
this implies also that p is unramified in K(E[d\). This notation is compatible, in the case 
of the cyclotomic fields Q(/^ rf ), with the usual meaning of congruences and the isomorphism 
Gal(Q(/x d )/Q) — ► (Z/dZ) x which sends a p to p(modd). 

We see that (|3,6|) and Q3.2|) are comparable in that both involve the average distribution 
of Frobenius elements in the extensions generated by d-torsion points of some algebraic group 
(either E or the multiplicative group), uniformly for d quite large. However, there are a number 
of important qualitative differences, as will be explained later on. Here we only mention that 
the factor (p(d) in ()3.2|) makes it impossible to switch divisors there as in (|3.5|) . making the 
contribution of the very large moduli very hard to handle. 

The estimation of (j3.2j) seems to be a much harder problem than the Titchmarsh divisor 
problem. 

Remark 3.5. I have not seen any mention of the problem of estimating SE(X;d\) in the litera- 
ture; however, there are a number of not unrelated works concerning the question of counting 
primes p ^ X such that E p (F p ) is cyclic (i.e. d\{E p ) = 1) for an elliptic curve E/Q, for 
instance CM . Also Serre |Se-2j . for counting supersingular primes p ^ X, uses the fields of 
^-torsion with £ prime and quite large with respect to X; however £ is fixed for a given X, so 
the question of uniformity with respect to the modulus occurs in somewhat attenuated form. 

3.2. Analysis of the elliptic splitting problem on GRH. For fixed d ^ 1, the asymptotic 
behavior of TTE(X;d, 1) is given by the Chebotarev Density Theorem. Under GRH, it can be 
stated in a sharp form. First we introduce some notation. As before, E/K is an elliptic curve 
over a number field, d ^ 1 an integer, Gd is the Galois group of K(E[d]) over K. Let be 
the absolute value of the discriminant of K(E[d])/Q, n\ the degree [K : Q], so [K(E[d]) : Q] = 
\G d \m. We let N E be the norm of the conductor of E/K f [ST2l IV-10]). 

Proposition 3.6. Assume GRH for the Artin L- functions. With the above notation, we have 

(3.9) n E (X;d,l) = t^ti K*) + 0(v^tog(Ai(d|G d | J /Vj^)' n )) 

Iwl 



It would be better to consider here the partial sum of coefficients of the logarithmic derivative of the Artin 
L-function associated to the character of Gd which has trace equal to the characteristic function of C. 
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for X ^ 2, with an absolute implied constant, and 

(3.10) 9 E (X;d,l) = j^ + 0{Vx(logx)(\og(A 1 (d\G d \N E X)^))). 
for X ^ 2, itrai/t an absolute implied constant. 

Proof. This is just making explicit the version given by Serre |Se-2| . based on that of Lagarias- 
Odlyzko, and is well-known: we include the proof for completeness. Theoreme 4 of So-2 reads 
in this case 

ir E (X;C,l) = -^Hx)+r E (X;d) 
\^d\ 

with the estimate 

(3.11) r E (X;d) « -^VX(log(A d ) + ni\G d \ log X), 

\G d \ 

with an absolute implied constant. We have (see e.g. |Se-3| III]) 

logA d = | G d | log Ai + \ogNd d 

where Q d is the relative discriminant of K(E[d])/K. Then Proposition 5 of |Se-2j gives an upper 
bound 

log A d < \G d \ log Ai + ni \G d \ (l - y^-| ) logP d + n x \G d \ log \G d \, 

where P d is the product of the primes p which are residue characteristics of primes of K ramified 
in K{E[d]). If p is a prime of good reduction of E and (d,p) = 1, p is unramified in K(E\d\). 
It follows easily that 

Pd | dN E . 

Thus we get 

° t % t d < log Ai + ni log dN E + m log \G d \. 

The first term in ()3.11|) is thus 

1 



Xlog(A d ) < VXlog(A 1 (d|G d |iV i; ) 



ni N 



so that we obtain 

r E (X;d) « V^log(Ai(d|G d |iV B Xr) 

with an absolute implied constant. 

The proof for is similar or deduced by partial summation. □ 

Remark 3.7. If K = Q, this can be written 

(3.12) tt e (X; d, 1) = j^-r li(x) + 0(Vx\og(dN E X)), 

(with an absolute implied constant) by observing that \G d \ sj d 4 (for example), and one can 
replace N E by the absolute value of the discriminant of E, which it divides. 

For comparison, it is classical that GRH for Dirichlet L-functions implies 

(3.13) ir(X; d, a) = — ^- li(x) + 0(VX\og(dX)) 

<f(d) 

with an absolute implied constant. 

Recall from Theorem 12.11 and the Remark following, that as d —* +oo the order of G d is 
comparable with d 9 where g = 2 if E has CM and with g = 4 if not. Comparing the error term 
in (|3.9|) with \G d \, it follows that (|3.9|) gives the asymptotic behavior 

tt e (X; d, 1) ~ — — li(x) as X — » +oo 
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uniformly for d up to X 1 ^ 2,9 ^ 5 for any e > 0, whereas (|3,13[) implies the corresponding asymp- 
totic for primes in arithmetic progression to moduli d X 1 / 2 " 6 . Hence, since l/(2g) = 1/4 
(in the CM case) or = 1/8 (otherwise), we see a great difference for the purpose of applying 
the estimates (|3.9j) or (|3.13j) to the sums (|3.2|) and ()3.6j) . In the case of the Titchmarsh divisor 
problem, GRH provides an asymptotic formula valid for "almost all" the moduli d involved 
in (|3.6|) . leaving only those d very close to X 1 / 2 to be dealt with; but for an elliptic curve, a 
whole range of d remains for which GRH does not give anything, namely 

fx 1 /*-* <^d^ X 1 / 2 + 1 ME has CM 

[X 1 / 8 - 6 ^d^ X 1 / 2 + 1 HE does not have CM. 

(it is certainly not surprising that the non-CM case appears superficially to be worse than the 
other, although whether it should really be is open to question...) 
However, we can at least state what this gives for (|3.2j) . 

Proposition 3.8. Let E/K be an elliptic curve over a number field. Assume GRH for Artin 
L-functions. Then we have 

(3.14) <P(d)7r E (X;d,l) =c(E)X + 0( ^ log^A^X 3 "^ 1 )) if E has CM, 



^ log X 



(3.15) J2 ^d)7T E (X;d,l) = c(E)\\{X) + o( — ^— log^A^ 1 X 5 " 1+1 )) otherwise 

for X ^ 2, with absolute implied constants, where 

(3.16) c(E) = Res s=0 V 7777 <T S if E has CM 

(3.17) c{E) = otherwise. 

Unconditionally, we have a lower bound 

(3.18) S E (X;d 1 )^ K , 

log A 

where the implied constant depends only on K . 

Proof. This is an immediate corollary of Proposition 13.61 Take the non-CM case for example: 
we have 

<p(d) < 1 



\G d \ ^ <P<p(d) 

so the series defining c(E) is absolutely convergent, and the main term of (|3,9|) gives 

ii(x) Y jM = c(m(x)+Q s (xV^) 

(for any e > 0, say we take e = 1/4), while for the error term we have 

X 

(logX) 4 



VX ^logiAMGdlNEXD « ^—log^A^X 5 ™^ 1 ) 



d^X 1 /^/{logX) 2 

by trivial summations (using \ Gd\ ^ d 4 ). The CM case is exactly similar, except that the series 
over d has logarithmic growth, hence the different formula for c{E). 

The lower bound (|3.18j) is an immediate consequence of the Prime Ideal Theorem in K since 
by (H21) 

S E (X; d x ) > tt e (X; 1, 1) = tt k (X) » K 

logX 

li 



where ttk(X) is the number of prime ideals with norm ^ X. □ 

Remark 3.9. Note that the restriction to d ^ X 1 / 4 comes from the occurrence of f(d) in (|3.2|l . 
The exponent is thus independent of the Galois dimension of E, and so of the actual range 
where ()3.9|) gives an asymptotic formula for tte(X; d, 1). In other words, in the non-CM case, in 
part of the summation range in (|3.15|) . the estimated term in the Chebotarev density theorem 
dominates over the main term. 

Note that the constant c in (|3.4j) is also 

c = Res s= o]T^. 

and the same argument gives 

ir(X; d, 1) ~ cX as X — > +oo, 

d<vT/(logX) 

leaving only the range VX/(logX) ^ d ^ vX to handle to solve (under GRH) the Titchmarsh 
divisor problem. 

It is reasonable to expect that the sum in Proposition l3.8l could be extended to all d ^ y/X+1, 
giving the desired asymptotic formula for the average of d\(p) over p. 

3.3. Computation of c(E). In Section [7| below we perform numerical experiments for the 
elliptic splitting problem, and it is therefore useful to be able to explicitly evaluate the constant 
c(E), at least for some elliptic curves E. This requires some knowledge of the Galois groups Gd, 
which is available in the case of what Lang- Trotter call Serre curves ( |LT| I, §5-6-7]). Serre |Se-l| 
§5] has indeed given concrete examples of such curves, and we will use his examples in Sectional 
Throughout this section, all curves are over Q. 

The difficulty in computing \Gd\, and hence c(E), is that although the index between them 
is bounded, it is never the case that Gd = GL(2, Z/dZ) for all d ^ 1, as shown by Serre. More 
precisely, let E[oo] be the set of all torsion points of E, and 

Poo : Gq — ► Aut(£[oo]) 

the natural Galois representation, so that p^ (mode?) = pd for all d ^ 1. Recall that 

Aut(£[oo]) = ]jGL(2,Z e ) 

i 

and the ^-th component of poo is the £-adic representation p£. 

Define an index 2 subgroup He of Aut(i£[oo]) as follows: let e : GL(2,7i2) — > {±1} be the 
map given by composition 

GL(2, Z 2 ) -» GL(2, Z/2Z) ~ 6 3 {±1} 

where e is the signature on 63. Let x be the Kronecker symbol of the quadratic extension 
Q(\/A), where A is the discriminant of E, and m its conductor. The subgroup in question is 
defined by 

H E = {9 = (gt) e Aut(£[oo]) | s(g 2 ) = x(g (modm))} 
Then the precise form of Serre's result ( |Se-l| Prop. 22]) is: 

Proposition 3.10. (Serre) For any elliptic curve E/Q we have Poo(Gq) C He- 

By definition, a Serre curve is an elliptic curve E/Q such that poo(G Q ) = H E (see jCTJ I, 
§5] for a more detailed discussion, Section [7| for concrete examples). 

Proposition 3.11. Let E/Q be a Serre curve, and let m be as above. We have 



[GL(2, Z/dZ) : G d ] 



2 if 2m I d 
1 otherwise. 
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Proof. Clearly we have 

H E = H 2m x H GL(2,Z e ), 

(e,m)=l 

where Him is the obvious subgroup (the definition of He only involves the components of g at 
£ | 2m). Let g = (gg) be a representative of the non-trivial coset of Hi m . Correspondingly, if 
d = 0I10I2 with d\ I (2m)°° and (cfe, 2m) = 1, we have 

G d = G dl xGL(2,Z/d 2 Z). 

So it is enough to compute the index of G dl - Since He is of index 2 in Aut(£'[oo]), it is either 
1 or 2. Now if 2m \ d±, the reduction modulo d of g is an element in G^ which is not in 
i?2m (moddi), so the index is 2 in this case. 

Conversely, if 2m does not divide di, let i be a prime dividing 2m but not di. For any 
g G GL(2, Z/diZ), we can lift it to 

[]GL(2,Z,0 

and then change the component at I so that the resulting g is in Hi m \ this element reduces to 
g modulo di, so the index of Gd x is 1 in this case. □ 

Lemma 3.12. Let f and g be arithmetic functions with g multiplicative such that 




ag(d) if n \ d 
g(d) otherwise 



for some integer n ^ 1 and some a G R. Assume moreover that 
(3.19) g(nd) = dT K g{n) 

for all d I n°° and some real number k. Assume that the series ^2g(d) converges absolutely. 
Then we have 

d^l P 

where 
and 

c=l + (a-l)g(n)Hg- 1 (l-p- K )- 1 . 

p\n 

Proof. We compute, from the assumption: 

£ /(d) =aJ>( d ) + E 17(d) 

d^l n|d nfd 

= a^ 5 (d) + ^ ff (d)-^ 5 (d) 

n|d d^l n|d 

= 5>(d) + ( a -l)J>(d). 

S>1 n|d 

By multiplicativity we have 

d^l p 
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Factorizing uniquely d = d\d 2 with d\ \ n°° and (d2,n) = 1, we have further 
Y^9{d)=Y J 9{nd) 

n\d d^l 

= E 9{ndid 2 ) 

dl|n°° 
(d 2 ,n)=l 

E *(*»))(£ ^ 

(d 2 ,n)=l di|ra°° 
= I I ffp) ( E d r K ) multiplicativity and (fO?|) ) 

(p,n)=l di|n°° 

^(rona-p-*)- 1 n 

p|n (p,ra)=l 

whence the result follows. □ 
Corollary 3.13. Let E/Q be a Serve curve. We have 

c(E) =E]#T = ^(^)C(2)C(3) J] (1 " V- 2 + P- 5 ) 

^ = 1+ M n(1 " p ' I+r " 5r ' 

p|2m 

Proof. In view of Proposition 13 . 1 ll we can apply Lemma 13.121 with n = 2m, a = 2 and 

<p(d) 



with 



f(d) 
9(d) 



\G d \ 

<p(d) 



\GL(2,Z/dZ)\' 

Indeed (j3.19|) holds with k = 3 since more generally we have by (|2.9j) . (j2.1()|) 

^(ddi) = (ddi)- 3 [] p-^l -p- 2 )- 1 = dfg{d) 

p\dd\ 

if cZi has no prime divisor outside d (this formula explains where functions satisfying (|3.19j) arise 
naturally) . 

We have by ffity 

1 

~ 1 + p 3 (l-p- 2 )(l-p- 3 ) 
p 5 - p 3 + 1 



(p 2 -l)(p 3 -l)' 

hence the result after some rearranging of terms. □ 

Remark 3.14. Note that the correction factor c'(E) is usually very close to 1, so the value of 
c(E) for a Serre curve is close to 

(3.20) c = C(2)C(3) J] C 1 - P" 2 + P" 5 ) = L25845 • • • 

p 
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This means in particular that if the expected asymptotic formula for Se(X; d±) holds, by itself it 
does not carry much global information about E, except for distinguishing between CM curves 
and non-CM curves. 



Remark 3.15. One may hope that this gives the "generic" value of c(E). More precisely, recall 
that Duke |Duj has shown that for "almost all" elliptic curves over Q (in the sense of almost 
all coefficients of Weierstrass equations), there are no "exceptional primes", i.e. we have 

G p = GL{2,Z/pZ) 

for all primes p. It may be possible to refine this statement to show that almost all E/Q (in 
the same sense) are Serre curves. 

3.4. Outside primes. The simple-minded analysis based on GRH of the previous section 
points to a striking difference between the distribution of totally split primes in K(E[d]) for 
large modulus d and the case of arithmetic progressions. This is best made explicit using 



^(X;d,l)= A ( n ) 



n=a (mod d) 

where A(n) is the von Mangoldt function, equal to logp if n = p m for some prime p and m 1, 
and to otherwise. As for Be, we have on GRH 

(3.21) i;(X;d,a) = + 0(Vx(log A) (log dX)) 
for X ^ 2. 

Now, consider the smallest prime = a modulo d, or the smallest X for which ip(X;d,a) > 0. 
Since p = a (mod d) implies d ^ p — a, it follows that p ^ d + a > d, in particular the main term 
of Q3.21JI is > 1, i.e. we have 

MX; d,l) >0^> X > d^ > 1. 

We restate this as follows: all primes in arithmetic progression can be "accounted for" by the 
main term in the Chebotarev density theorem. Such is still the case of CM elliptic curves, since 
the a priori estimate (J2.13JI shows that 

(3.22) 6 E (X;d,l) > => X > (d - l) 2 

which is (roughly) compatible with the density l/|Gd| #s 1/d 2 in this case. 

Non CM curves are different: the estimate ()2.13|) is the best general bound (as shown below), 
but now the density of totally split primes is roughly 1/d 9 = 1/d 4 . If p splits in K(E[d]) with 
Ap < \Gd\, the main term in the Chebotarev density theorem is < 1, and this may be the case 
for values of d as large as y/Np + 1. Such a prime is not accounted for by the main term of the 
Chebotarev density theorem. 

Definition. Let E/K be a non-CM elliptic curve over a number field K. A prime ideal p which 
splits totally in K(E[d]) with Np < \Gj\ is called an outside prime of E. If p satisfies the weaker 
inequality A^p < d 4 , it is called a weak outside prime. 

Equivalent formulations are (G^p)! > A^p and d±(p) > (A r p) 1 / 4 respectively. 

The existence of outside primes is understandable: since the invariant <ii(p) only depends 
on the reduction of E modulo p, it follows that for given p, E being globally CM or not does 
not matter. The results on the possible group structures of elliptic curves over finite fields (see 
Section EJ) show that the a priori bound (|2.13|) is always best possible. 

We give here a simple illustrative example. 

Example 3.16. Let be the classical CM curve given by the Weierstrass equation 

(3.23) y 2 = x 3 - x 
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which has j(A) = 1728, conductor Na = 32 and endomorphism ring Endq(yl) = Z[i], the ring 
of Gaussian integers. 

The determination of the local Frobenius endomorphism of A modulo p, up to conjugation, 
is classical (see e.g. |IR1 18.4]). If p = 3 (mod 4), A is supersingular at p and a p (A) = 0. If 
p = 1 (mod 4), on the other hand, p splits in Q(i), say p = tttt for some prime element tt, and 
the Frobenius at p is one of the elements ±7r, -iziir, ±7f , ±i7f . Which one it is, up to conjugation, 
is settled by a congruence modulo 2(1 + i), namely 

(3.24) a p = l(mod2(l + t)) 

(a Gaussian integer z = 1 (mod 2(1 + &)) is called primary). To see this, one can either express 
a p in terms of Jacobstahl sums and reduce modulo 2(1 + i) (see e.g. 12, 8.2]) or observe that 
the 2(1 + i)-torsion of A is rational over Q(i), hence over F p for p split in Q(i), so that (|3.24j) 
follows (.A [2(1 + i)] is generated by the two-torsion points (0, 0), (±1,0) and by (i, ±(i — 1)); see 
e.g. jRul Ex. 12.3]). 

Now if 7r is a Gaussian prime of the form tt = 1 + ni such that tt = 1 (mod 2(1 + i)), then 
p = n 2 + 1 is prime and tt is the Frobenius at p. But tautologically we have tt = 1 (mod n) in 
End(j4 p ), so that (Lemma l2~o]) d\{A p ) = n, and in fact, since N(ir — 1) = n 2 , A p (F p ) ~ (Z/nZ) 2 
(compare jSc-11 2.5]). Obviously n = L/P + 1]. 

In terms of p the condition is that p = n 2 + 1 and 4 | n (i.e p = 16n 2 + 1). It is expected 
that there exist infinitely many primes p of this form, but this is not known (see [i^ for the 
best "almost prime" results). The first few are p = 17, 257, 401, 577,..., 739601, ... 

Now if p is a prime of this type, any curve E' /Q with the same reduction modulo p as E will 
also have d\{E') = n. For instance, take 

E' : y 2 = x 3 — x — p 

which for all p does not have CM and for p = 16n 2 + 1 will have di(EL) = \^fp + 1] by 
construction. 

Obviously, for the purpose of finding an asymptotic evaluation of (|3.1j) . a few prime ideals 
with d\(p) close to y/Np do not matter much. One might expect that in general outside primes 
are rare, and the presence of "too many" of them should mean that E has CM. 

A partial clue in this direction is implicit in |Sc-l| p. 330]. We state the following simple 
result as an illustration: it shows that Example l3.16l is basically the only possibility in the most 
extreme case. 

Proposition 3.17. Let E/Q be an elliptic curve with j-invariant j, p ^ 11 a prime of good 
reduction of E such that 

drip) > 

Then j = jo (modp), where 

j £ J = {0, 1728, -3375, 8000, -32768, 54000}. 

In particular, there are only finitely many such p unless j £ J . In this case E is a CM curve. 

Proof. First observe that the reduced curve E p /F p is ordinary. Let tt £ O = Endp p (i?p) be the 
Frobenius endomorphism. We have ( Lemma 12. 6|) tt = 1 + di(E p )Tr' for some tt' E O, and 

\E p (F p )\ = N(ir - 1) = d^EpfNTr'. 

Moreover, since tt Z, tt' is not in Z either. Let D be the discriminant of the quadratic 
imaginary order O. For any z € 0, z Z, we have 

I-DI 
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and applying this to ir' we get 

\D\ < 4 



\E P (Fp)\ 



\E (F. )| 
^ 8 — - — — (by assumption) 
P 



< 8(l + — ) < 15 (since p ^ 11). 
V jp) 

But all quadratic imaginary orders of discriminant < 15 have class number one (see e.g. |Cox| 
Th. 7.30]). Now Deuring |Dej has shown that an ordinary elliptic curve A over a finite field F q 
"lifts to characteristic 0" . This means that there exists a number field K, a prime ideal p of K 
with F p = F q , and an elliptic curve A/K with CM by End(A) such that A p ~ A. 

Let E be such a lift of E p . It has CM by the order O with class number one, hence (see 
e.g. [Si-2| II- 2]) is defined over Q, and actually a table such as that in |Cox| 12-C] or |Si-2| App. 
A-3], shows that j{E) £ J = {0,1728,-3375,8000,-32768,54000}. Since E p ~ E p , we have 
j = j(E) (modp). □ 

Obviously this argument can be extended somewhat, but it seems hard to make interesting 
conclusions in greater generality. The difficulty is roughly as follows: say we want to estimate 
the number of p with d\(p) ^ Np® for some > (for example, 6 = 1/4, corresponding 
essentially to outside primes). As above one derives 

\D\ < Sp 1 " 26 

where D is the discriminant of the quadratic order End(F p ). This implies 

j(E) (modp) 6 O(p) 

for some finite set O(p) with 

l^(p)l«^ 2e 

for all such p. However since the cardinality of fi(p) is not bounded anymore, it is hard to go 
further. 

Indeed, compare this to the analogue approach to the study of supersingular primes of E: 
if p is a prime of supersingular reduction, we have j(E) (modp) £ fi'(p), where O'(p) is the 
finite set of supersingular j-invariants. Lang and Trotter, who initiated the study of the set of 
supersingular primes of elliptic curves, explicitly mention this idea and state |LTl p. 7] that it 
doesn't seem to bring useful results. 

We thus have the following problem: 

Problem 3.18. Let E/K be an elliptic curve without CM. What can one say about the distri- 
bution of outside primes of E? Are there infinitely many of them? If yes, how many are there 
< X ? Is is true that the series 



V — 

^ /Vti 



Np 

over outside primes of E converges? 

The first guess, for E/Q, might be that there are infinitely many outside primes. Heuristically 
from Proposition 16.431 one would expect that there are at most about X 1 / 4 outside primes 
^ X. See Section [7| for some numerical data: outside primes appear to be extremely scarce and 
Section 0] below for a first idea. 

Remark 3.19. Another seemingly simpler situation where "outside" primes can occur, which 
throws some light on the situation, is that of Kummer extensions. For simplicity, let a £ Z be 
a squarefree number. For d ^ 1, let = Q(/i d , a 1//rf ) be the Kummer extension generated by 
d-th roots of a. As is well-known, we have in this case an isomorphism 

GalCKd/Q) ~ (Z/dZ) x x (Z/dZ). 
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The order of the Galois group is thus dip(d), and one can define an outside prime for a to be 
p such that p splits completely in with p < d(p(d). 

It is easy to see that, given p, the largest d for which p splits completely in is d = 
(p — I)/ o p where o p is the multiplicative order of a modulo p : indeed we have p = 1 (modcQ, 
and a^ p ~ l ^ d = a° p = 1 (modp) so a is a <i-th power modulo p. 

Hence p is an outside prime if and only if 

p — 1 (p — 1 

p < ip 



Roughly speaking this is true if o p <C ^Jp (or equivalently if p \ a? — 1 with j <C y/p) ■ Thus 
the question is clearly related to Artin's conjecture about primitive roots and is currently much 
of a mystery. Getting non-trivial results seems extremely difficult, and one might expect the 
(non-CM) elliptic curve case to be also very hard. 

3.5. Brun-Titchmarsh problems. In the study of the Titchmarsh divisor problem, to obtain 
a proof of (|3.4[) requires dealing with the large moduli \/A/(log A) ^ d ^ \/X. Asymptotic 
formulae are not known in this range and do not follow from GRH (although they are conjectured 
to hold for d ^ A 1-5 , see e.g. |Gr| ). but one can prove by sieve methods upper bounds of the 
correct order of magnitude which are sufficient to derive the asymptotic formula from that given 
by GRH (or, unconditionally, by the Bombieri- Vinogradov Theorem). This was first done by 
Titchmarsh |Ti-lj ). 

Theorem 3.20. For all d ^ 1, all a with (a, d) = 1, and any e > we have 
(3.25) 7r(X;d,a)<C £ A 



rid) log x 

for d ^ X , the implied constant depending only on e. 

A sharp version has been proved by Montgomery- Vaughan |MVj : 

IX 

< 3 ' 26 > ^■'■-' Swiogx/d 

for all d < X. 

We recall for convenience how, using (|3.25|) . one can now finish the proof of (|3.4|) on GRH 
from (|3.6|) . Indeed, one has 

y n(x-,d,i) < y 

^ log A ^ <p(d) 

AloglogA 

(3 ' 27 > « -ikh 

for X ^ 2, and similarly 

y TT(d 2 + l;d,l) < y -y^- < 

^ ^ <p(d) log d log A 

d<Vx d<y/X 

for A > 2. 

This naturally suggests the following problem: 

Problem 3.21. Let E/K be an elliptic curve over a number field K . Is it true that for any 
e > there exists C(E,e) > such that 

(3-28) 7T E (X;d,l)^C(E,e) f 

I Gd | (log A) 

for all d ^ X 1 ^- 6 ? 
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Note that the restriction to d ^ X 1 / 9 is certainly necessary, since for larger d the "main 
term" of the Chebotarev density theorem is < 1 (for X large enough). See below for further 
discussion of this point. 

There's a remark that arises in writing such an inequality: should one write \Gd\, in the 
denominator, or instead, assuming that E is non-CM, \GL(2, Z/dZ)|? Both forms are equiva- 
lent, because of Serre's result that the index of Gj in GL(2, Z/dZ) is bounded. But in fact an 
inequality 

for d ^ X 1 ^ 9 ~ £ implies Serre's result: fix d, take e = l/(2g) (say), so for all X ^ d? 9 we have 

^^■l)<C( E ,(2 9 )-) |GL(2 ^ z)|(logJC) , 
whereas by the Chebotarev density theorem 

n E (X;d,l) 



X 



\G d \(logX) 



as X — > +00. Comparing implies 

[GL{2,Z/dZ) : G d \ ^C{E,(2g)- 1 ). 

Now it is interesting to note that the Brun-Titchmarsh inequality (|3.25[) is proved, with ip(d) 
in the denominator, without any mention of cyclotomic fields! The same argument backwards 
then deduces from (j3.25j) that the index of the Galois group of Q([i d ) in (Z/dZ) x is bounded 
(by 2, using (|3.26j) ). Of course, it is not hard to prove that it is 1 for all d (i.e. the cyclotomic 
polynomials are irreducible). 5 

Proposition 3.22. Let E/K be an elliptic curve over a number field. Assume that \3.2<^i holds 
for E in the range stated. Then we have 

(3.29) <p(d)ir E (X;d,l) < X (if E has CM) 

(3.30) V ip(d)TV E (X;d, 1) < (otherwise) 

^-^ log A 

for any e > and any X ^ 2, the implied constant depending only on E and e. 

Note this is weaker than what GRH implies (Proposition I3.8J) . but it may be the case 
that (|3.28fl is easier to prove, as in the cyclotomic case. The proof is immediate, and the 
statement is given only for completeness. 

It is clear that the Brun-Titchmarsh problem for K{E[d]) can be much generalized. Let us 
consider the following rather general context (compare |Se-21 ]): let K be a number field and 
K 1 /K an infinite Galois extension which is unramified outside a finite set of primes of K, and 
has Galois group Gsl{K' / K) which is (isomorphic to) a finite index subgroup of G(Z) for some 
smooth algebraic group G of finite type over Z. For d ^ 1, let K^/K be the fixed field of the 
kernel of the reduction modulo d map 

Gsl(K'/K) ^ G(Z) -» G(Z/dZ), 

a Galois extension of K with Gal(-fQ/l^) = Gal(i^'/-^) (modd), with obvious notation. The 
Galois groups Gal(iQ/K) are, by the map above, subgroups of G(Z/dZ) with index bounded 
for d ^ 1. Let g be the (relative) dimension of G/Z. 



5 Any constant < 2 in 13.251 would reprove this, but it is well-known (see references in |HRI p. 123]) that such 
a result would bring much richer rewards, as it would eliminate the possibility that the so-called Landau-Siegel 
zeros of quadratic Dirichlet //-functions exist. 
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Definition. With notation as above, the field K' is a Brun-Titchmarsh field if and only if for 
any e > we have 

(3.31) n K ,(X;d,l) <^, E ' A 



\G(Z/dZ)\ logX 

if d ^ X 1 / 3 ^, the implied constant depending only on K' and e, where 7Tx'(X;d, 1) is the 
number of prime ideals of K with norm ^ X which are totally split in 

So the cyclotomic extension Q ab /Q is a Brun-Titchmarsh field, and Problem 13,211 can be re- 
phrased as asking whether the field K(E[oo]) = \J d K{E[d]) is a Brun-Titchmarsh field. Other 
examples arise naturally: for the same E/K, not CM, let K' C K(E[oo]) be the subextension 
corresponding to the closed subgroup Z(Z) n G&\(K (E[oo])) , where Z is the center of GL{2). It 
has Galois group G which is of finite index in PGL(2, Z), hence g = 3 in this case. If K' JK were 
a Brun-Titchmarsh field, and assuming GRH for Artin L-functions, the asymptotic formula 

tp(d)Tr E (X;d,l)~ c (E)li(X) 

(as X — > +oo) would hold for any e > 0. Indeed from (|3.15jl . it suffices to estimate the sum over 
X 1 / 4 /(logX) < d < I 1 / 3 " 6 . This can be done using the Brun-Titchmarsh inequality (|3.31|) for 
since primes which are totally split in K(E[d]) must also be so in 

X ^ ip(d) 



ip(d)TT E (X;d,l) <e 



logX ^ \PGL(2,Z/dZ)\ 



x 3/4+ £ 



One may ask similar questions with more general sets of conjugacy classes replacing the 
identity element; this is left to the reader to formulate, together with some potentially useful 
example for the elliptic splitting problem. 

Besides the cyclotomic extension of Q, it seems few Brun-Titchmarsh fields are known. We 
will see in Section 15.61 that the division fields of CM elliptic curves provide further examples. 
But all those correspond to (essentially) abelian Galois groups. 

Problem 3.23. Find a Brun-Titchmarsh extension K' /K corresponding to an algebraic group 
G/Z of dimension > with non- abelian connected component. 

The known proofs of the classical Brun-Titchmarsh inequality and of those for CM curves are 
based on sieve methods: one can use almost any form of 'additive' sieve (see [HR ) or a refined 
version of the large sieve (see |Bo| §3 or §4]). The latter may be generalized, to a certain extent 
using techniques as in |KM| Prop. 9] to handle Artin L-functions, but this requires to be useful 
that all irreducible representations of the finite groups G(Z/dZ) be of degree ^ 7' for some 
7' > independent of d, which is equivalent to the connected component of G/Z being abelian. 
However, this fails to give useful information for the Brun-Titchmarsh problem; this is because 
the required saving of the factor l/\G(Z/dZ)\ comes, in the case of arithmetic progressions, 
from summing over integers n = 1 (mod d) by writing n = md + 1 and summing over m. This 
underlying regularity is of course inexistent in more complicated extensions. 

This suggests another problem: prove (|3.25|) without appealing to the regularity of arithmetic 
progressions. 

4. Elliptic twins 

4.1. Definition. The first step in the direction of Problem 13.181 introduces instead another 
interesting analytic problem. Let K = Q for simplicity. Fix X ^ 1 and an integer d such 
that d 2 > 8X 1 / 2 . Let {pi, ■ ■ ■ ,Pk} be the set of primes splitting completely in Q(E[d\) (i.e. 
d I d\(E p .)) with pj ^ X, and assume they are indexed in increasing order, so that pj < pk if 
j < k. 
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Consider p = pj and q = pj+i for some j. Since 

d 2 | di{p) 2 | n p (E) =p+l- Op(E) and also d 2 \ di(q) 2 \q+l- a q (E) 
we get by subtracting 

d 2 | (q-p) + (a p (E)-a q (E)). 

Therefore, if the right-hand side is non-zero, it follows that 

q >P+ (a p (E) -a q (E)) + d 2 , 

but by the Riemann Hypothesis for E p and E q , and the assumption d 2 > &X 1 ! 2 > Sq 1 ^ 2 , we 
have 

d 2 

\a p (E) - a q (E)\ ^ 2(^+ Jq) ^ —, 
hence we get a gap between p and q, 

d 2 

which is stronger than the "trivial" gap imposed by the congruence p = q = 1 (mod if). 
However, this is subject to the condition that 

(q - p) + (a p (E) - a q (E)) ^ 

which is equivalent with 

\E p (F p )\^\E q (F q )\. 

There is no reason this should not occur, and this prompts the following general definition: 

Definition. Let K be a number field and E/K an elliptic curve. Two distinct prime ideals p 
and q of K are called elliptic twins for E if 

|£ p (F p )| = |£ q (F q )| 

i.e. E has as many points reduced modulo p and modulo q. We say that p has an i?-twin, or 
simply a twin. 

Remark 4.1. More generally, let C/K be an algebraic curve (or even an arbitrary algebraic 
variety) and fix C/Ok[^/S] a model of C defined over the integers of K (minus a finite set S of 
primes). Two distinct prime ideals p and q of K which are not in S are called C-twins if 

|C„(F P )| = |C q (F q )| 

We say that p has a C-twin. Note that except for finitely many pairs, this is independent of 
the choice of the model C, but for definiteness one may chose one of the preferred models of C, 
or define twins for a variety defined over an open subset of Spec Ok- 6 

N. Katz first suggested the following case, justifying the rapprochement with twin primes: 
instead of an elliptic curve, consider the affine conic C : x 2 + y 2 = 1 over Q (equivalently, to 
stay with algebraic groups, the restriction of scalars from Z[i] to Z of the kernel of the norm 
map G m / Z [j] — >■ G m / Z ). This "is" a model over Z, and we have (remember C is affine) 

if p = 3 (mod 4) (p is inert in Q(i)) 
if p = 1 (mod 4) (p splits in Q(i)). 

Consequently, the condition \C p \ = \C q \ means either p = q, or (1) p = 1 (mod 4) and p — 2 is 
prime (it is then inert and |C p _2| = (p — 2) + 1 = p — 1 = |C P |), or (2) p = 3 (mod 4) and p + 2 
is prime, which is (1) with p and p + 2 exchanged. Hence the C-twins are "half" the ordinary 
twin primes, namely pairs (p,p + 2) with p = 3 (mod 4). 

Note it doesn't seem to be possible to get the other half of all twin primes 7 in this manner: 
using a conic one would need a quadratic field K with the property that p is split in K if and 
only if p = 3 (mod 4) We ask: 

^Especially since no variety is known to have infinitely many twin pairs... 

7 Numerical experiments (and standard conjectures) confirm that those "two-halves" are equidistributed, in 
an obvious sense. 
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Question. Is there an algebraic variety X/Z[l/2] with the property that p > 2 and q > p are 
^-twins if and only if q = p + 2 ? Is there one such that p and q are A'-twins if and only if 
q = p + 2 and p = 1 (mod 4)? 

The author's guess is "No" . 

The definition of elliptic twins certainly looks unnatural from a geometric viewpoint: we 
compare the reduction of a curve modulo two distinct primes. But in the absence of better 
ways of bounding the number of outside primes, and as analogues of the ordinary twin primes, 
they are worth investigating. 

4.2. General facts. We now introduce some more notation. Fix an elliptic curve E/K defined 
over a number field. We define three arithmetic functions: 

(4-1) n p = \E p (F p )\, 

(4.2) M(n) = | {p | Np ^X and n p = n}\, 

(4.3) m(p) = M(n p ). 

So n p and m(p) are supported on primes of K, and M(n) is defined for all n ^ 1. 

Of course p has an E-tw'm if and only if m(p) > 1. We'll say that an n ^ 1 is a twin value if 
M(n) > 1, and call the primes p with n p = n the E- twins associated to n. 

The main questions about elliptic twins concern the behavior of those three functions. In 
particular: 

Question. What is the behavior of the function 

(4.4) j(X) = \{n ^ X | n is a twin value }| 
counting the twin values up to X, or of 

(4.5) J(X) = \{p\Np^X and p has an £-twin}|. 
Question. What is the behavior of the sum 

(4.6) T(X) = ™(P) 

Np^X 

as X — > +oo ? 



Question. More generally, for fixed k ^ 0, what is the behavior of the moments of m(p) and 
M(n) 

(4.7) S k (X) = £ M(n) k 

(4.8) T k (X) = £ m(p) k . 

Np^X 

Question. Differently formulated: what can be said about M(n)? How large can it be com- 
pared to re, and how does it behave as n — > +oo? 

Question 14.21 is the elliptic analogue of the classical twin-prime problem. On the other hand, 
because the analogue of the "multiplicity" M(n) is simply the constant 2 for the twin-prime 
problem, Questions l4.2ll4~2*l and l4~2*l do not have a classical counterpart and are genuinely elliptic 
problems. 

Also of interest is the dependence on E of all those quantities, in particular the "meta- 
question" is: what global arithmetic invariants of E can be extracted from information about 
the functions M(n) and m(re)? (Recall that according to the Isogeny Theorem, the curve E/K 
is determined up to X-isogeny by the function p ^ re p ). We will see that it is likely that one 
can extract from the asymptotic of j(X) whether E has CM or not. Recall the notation x + 
and x~ (Oil . 
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Lemma 4.2. Let E/K be an elliptic curve over a number field. For any n 1 we have 

(4.9) n p = n =>■ n~ ^ Np < n + , 

(4.10) JVp - < n < iVp+. 
and 

(4.11) M(n) ^ |{q | q is prime and n~ < iVq < n + }| < [if : Q 1 v " 



log(n + 1) ' 
the implied constant being absolute. 

Proof. The implications (|4.9jl and (|4.10j) are just the Riemann Hypothesis (|2.6JI for Ep. The 
bound on M(n) then follows trivially by definition; for the last inequality, observe that if q 
is prime and n~ ^ iVq ^ n + , Nq is a prime power in that range, of which the number is 
<C y / n/(log(n + 1)), with an absolute implied constant. Each prime power q* can occur for at 
most [K : Q] prime ideals since q must be above q in K (compare (|5.4|) below). □ 

Remark 4.3. The delicacy of the matter is indicated by the fact that the size (about y/n ideals 
among n with Na ^ n) of this range is just such that even on the Generalized Riemann 
Hypothesis it is not possible to ensure that it contains at least one prime ideal p for all n large 
enough. Indeed, on GRH we have 

tt k (X) = li(X) + 0(X^ 2 (\ogA K X) 

(where Ak is the absolute value of the discriminant of K; the implied constant is absolute, 
see |Se-2| ] for instance). This only implies 

KK(n + ) — iTK(n~) <C n 1 / 2 (log A^n) 

which is worse than the trivial bound obtained by counting all integral ideals. 

The "trivial" bound (|4.11|) is in a sense best possible, because it is possible to find curves over 
a finite prime field Z/pZ with any value of satisfying |oe| ^ 2»/p. We state more formally 
this easy fact: 

Proposition 4.4. Let n ^ 1 be an integer. There exists an elliptic curve E/Q with good 
reduction at all primes p such that n~ ^ p ^ n + , and with n p = n for all such primes. 

In contrast with the remark above, note that it is known that for "most" integers n the 
number of primes described is S> \/n/(logn) (see e.g. |Haj . where this is shown to hold for 
n < p < n + n 5 for any 5 > 1/10; the case 5 = 1/2 is much easier). 

Proof. For p with n~ p ^ n + , let b p = p + 1 — n, so by construction we have \b p \ ^ 2y^p. 
By work of Deuring |Dej (Honda- Tate theory for elliptic curves, see Theorem 16 . 81 below) . there 
exists an elliptic curve E/F p with oe{p) = b p . Consider a Weierstrass equation 

E p /F p : y 2 + ai(p)xy + a 3 (p)y = x 3 + a 2 (p)x 2 + a 4 (p)x + a 6 (p) 

for such a curve. By the Chinese Remainder Theorem we can find a, G Z, i = 1,2,3,4,6, 
reducing to a«(p) modulo p for all p with n~ ^ p ^ n + . Then the curve 

y 2 + aixy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 

is an elliptic curve (since it reduces to a non-singular curve modulo those primes), and it has 
n p = n for all the primes p in question. □ 

Of course, having constructed one n with M{n) S> \fnj (logn) does not tell anything about 
the asymptotic growth of M(n) as n — > +cxd. The following trivial lemma shows (in particular) 
that on average M(n) is much smaller. 
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Lemma 4.5. Let E/K be an elliptic curve over a number field, k ^ 1 an integer. We have 

S k (X) = rn(p) k ~\ 

n p 

In particular 

(4.12) J2 M ( n ) = *k( X ) + Qk(^X), 

where ttk(X) is the number of prime ideals of K with Np ^ X. 

Note that n p ^ X implies Np ^ X + , but this condition is included in the summation to 
recall how the size of -/Vp is controlled. 

Proof. We have 

£ M{nf = £ M{n) k -\Y. l ) = E M ( n p)*~ 1 

n^X n^X ra p =n n p ^Jf 

Np^X+ 
n p ^X 

Then (|4.12f) follows by taking k = 1 and noting that 

| E i- E i|< E k<-^- 

ATp^X+ X~^Np^X+ 
n p ^X 

□ 

Question. Is it true that 

(4.13) M(n) = E Jn £ ) 
for all e > 0? 

We will see in Section 03 that this is true for CM curves (and we will give a more precise 
result). Heuristic and numerical evidence point to even stronger results, but note that because 
of Proposition 14.41 any progress requires using global properties of the elliptic curve. 

If (|4.13|) holds it follows that we have 

(4.14) S k (X) = T k _ 1 (X) + E ^ k (X 1 / 2+e ), for any e > 0. 

Finally we remark that the two functions j(X) and J(X) are somewhat different, since J(X) 
counts the twins with multiplicity. For this reason (see Section it is a little bit easier to deal 
with. 

4.3. Heuristic. Here we consider an elliptic curve E/Q which doesn't have CM, and we make 
some rough heuristics concerning elliptic twins. It should be possible to give somewhat more 
convincing arguments and more precise predictions using a probability model such as that used 
by Lang-Trotter |LT] . 

For a prime number p, there are about 4 v /p possible values of a p , and according to the 
Sato- Tate conjecture, they should be such that the angle 9 p € [0, tt] satisfying 

a p = 2-y/pcos P 

is equidistributed with respect to the measure dfi = ^ sin 2 Odd. 

Compared to the uniform measure, this measure is concentrated around 0, which should tend 
to limit the possibility of E-tw'ms occurring, since a twin q must have a q = n p — q — 1, so q 
getting relatively large sends a q towards the extreme, less probable, range of possible values. In 
particular, for heuristic purpose, assuming a p to be uniformly distributed should bias the result 
towards more twins. 
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In a uniform situation, each possible prime q, p ^ q ^ p + , has probability about 1/y/q of 
being a twin of p. Since q must be prime, this makes a probability about 

1 ^p 1 

x 



(logp) logp 

for p to have at least one twin. This is comparable to the situation with classical twin primes 
p, the probability of p + 2 being prime being about l/(logp). In particular we can ask 

Question. Let E/Q be an elliptic curve over Q without CM. Prove or disprove that 

{logxy 

for some c > as X — > +oo. 

It is conjectured that the number ^(X) of twin primes ^ X satisfies 

^ {x) ~ c2 (io^F with C2 = 2 n v 1 - (^tf ) = L32os • • • 

In Section [3 we'll see it seems more plausible that for E with CM, we have 

J{X)~ C -?—, j(XW A 



logX' JV ; (logX) 3 / 2 ' 

Concerning the multiplicity question, the same vague heuristic suggests that the probability that 
p has k twins is about l/(logp) fc , and this would seem to imply that the maximal multiplicity 
is 

(4.16) m(p) = k& - l °f P . 

log log p 

Again, in the CM case, Section \5\ suggests that m(p) can be much larger, almost as large as a 
divisor-like function. 

For numerical experiments, see Section |7| below. 

5. Curves with complex multiplication 

The analytic problems we have raised can be analyzed much further for CM curves. For 
elliptic twins, this will reveal some differences (so that, for instance, the behavior of M(n), 
m(p) should distinguish between CM and non-CM curves) while highlighting in a different way 
the connexion with the classical twin primes. We will prove upper bounds for the moments of 
M(n). Those upper bounds are such that general expectations about primes represented by 
polynomials lead to believe that they are of the correct order of magnitude. 

5.1. Preliminaries. We recall the basic facts of complex multiplication theory that describe 
the reductions of a CM curve and their Frobenius endomorphisms. The theory is basically due 
to Deuring; see for instance |Si-21 II] for a modern treatment. 

Let E/H be an elliptic curve over a number field H with CM by an order O in the ring of 
integers Ok of a quadratic imaginary field K. For simplicity, we will assume in this section that 
K C H, i.e. the defining field contains the CM field. This excludes in particular the important 
case H = Q, but the principle still applies in the general case, and we will extend the results for 
one curve over Q in Section 17.31 so that a complete treatment could be easily obtained (recall 
that in any case the composite field HK is at most a quadratic extension of H, so the case 
H = Q is really "complementary" to the case K C H). For a given imaginary quadratic order 
O, it is known f |Si-2l ]) that all elliptic curves with CM by O can be defined over the ring-class 
field associated to O (e.g., if O = Ok, over the Hilbert class-field of K). 

The following notation will be used: for an imaginary quadratic field K/Q, we let x = Xk 
denote the Kronecker symbol for K, i.e. the primitive quadratic Dirichlet character associated 
to K by class-field theory, and let r(n) or r^(n) denote the arithmetic function 

r(n) = r K (n) = \{a C O k \ Na = n}\ 

25 



so that the Dedekind zeta function of K is given by 

Ck(s) = ^(Na)- s = Y,r K {n)n- s 

a n>l 

= H(i-(N P )- s )- 1 = as)L(s,xK). 
p 

In particular, 

(5.1) r K (n) = ^2xK(d), r K (n) < d(n), 

d\n 

where d{n) is the "number of divisors" function. It will be convenient to fix once and for all a 
basis (l,o;) of Ok as a Z-module. 

The following result is that part of the Main Theorem of Complex Multiplication that will 
be needed (see |Si-21 ]): 

Theorem 5.1. With the above notation, there exists a map p i— > ip(p) £ ®> fr om the set of 
prime ideals of H where E is unramified to O, with the property that ip(p) is the Frobenius 
automorphism for Ep/F p . 

In fact, properly normalized, this map extends to the Grossencharakter of E ( |Si-2| ], |Ru[ 
]), but we do not need this deeper fact. 

We denote by S(-B) the image of if), i.e. the set of all Frobenius endomorphisms of E at 
primes of K. 

By the properties of the Frobenius automorphism, if p is an unramified prime ideal of H , we 
have 

(5-2) N§p = \F p \=N§^(p)), 

and 

(5.3) n p = N$W,(p)-l). 

We will reduce the problems about prime ideals in H to those of K using the following simple 
lemma: 

Lemma 5.2. With the same notation as before, for any prime ideal p in K, tp{p) is divisible 
by a single prime p, and for any z S Ok with this property 

|{p | i,(p)=z}\^[H:Q] 

Proof. Equation Q5.2|) proves the first statement. Then for any p in H with ip(p) = z, the prime 
p below p in Q is independent of p: it is the unique p such that N^z = p u for some v 1. 
Hence the number of p is ^ [H : Q] . □ 

5.2. Elliptic twins. We apply now the theory of complex multiplication to elliptic twins. We 
keep the same notation and convention. First we can answer Question IP for a CM curve. 

Proposition 5.3. Let E/H be a CM curve. We have for n ^ 1 

(5.4) M(n) ^ [H : Q]r K (n), 
and in particular for any n ^ 1 and any e > 0, 

(5.5) M{n) = E ^), 
the implied constant depending only on E and e. 

Proof. By (|5.3|) . for any p with n p = n, the integer z p = tp(p) — 1 £ O C Ok is a solution to the 
norm equation NqZ = n in K. Moreover, if z is any solution of this equation, all prime ideals 
p with Zp = z satisfy ip(p) = z + 1. Thus by Lemma E21 for each z there are at most [H : Q] 
prime ideals p with Zp = z, hence (|5.4|) follows. 

Now (|5.5|) is immediate since r(n) <C £ n e (for instance, use (|5.1|) ). □ 

26 



Our main result is the following theorem. 



Theorem 5.4. Let E/H be a CM elliptic curve as above. For any e > 0, we have 

(5.6) S k (X) « X(logXf^ +£ for k > 1 

(5.7) T k (X) « X{\ogXf^ +e for k > 0, 
for X ^ 2, where 

(5.8) P(k) = 2 k - k - 2. 
The implied constants depend on k, K , H and e. 

Remark 5.5. One can probably put e = 0; indeed, this is the case for T k (X) for k = 0, k = 1, 
and for all k the proof yields a stronger result with (log A) e replaced by a power of log log X; 
since I believe this is mistaken anyway (see the proof of Proposition I5.15|) , I prefer not to put 
this stronger statement. 

For example, 

Y m(p) <^ K j— y , Y m( $? ^ K X - 
Np^X °^ Np^X 

Moreover, we'll see in the course of proving the theorem that standard conjecture about primes 
represented by polynomials imply that the estimates (|5.7[) and (|5.6f) are of the correct order 
of magnitude. For To (A), this is just the Prime Ideal Theorem in K (and doesn't give any 
information about elliptic twins). 

Before starting the proof, we remark that by Proposition 15.31 and (|4.14j) . the bounds ()5.6|) 
and (|5.7|) are equivalent. We will work with Xfc(A) for k ^ 1, the case k = being obvious. 

5.3. Reduction to twin-prime-like counting. The strategy of the proof is to reduce to some 
counting of (principal) prime ideals in the ring Ok, and to use (|5.3|) to put the counting into 
the shape of "parallel" twin-prime-like equations, for which upper bounds of the (conjectural) 
correct order of magnitude can be efficiently and uniformly obtained by a sieve method. In this 
case, we'll use Huxley's version of the large sieve in number fields |Huj . 

A prime element in Ok is an integer z such that (z) is a prime ideal. We first reduce to those 
p such that yj(p) is a prime element. 

Lemma 5.6. Let E/H be as above. We have for any k ^ and any e > 

(5.9) ]T m(p) k « e , x , fe X l ' 2+£ 

Np^X 

the implied constant depending only on e, K and k. In the sum, fp is the residual degree of p. 
Proof. By (|5.5|) . we have 

Y ni(p) k « £ifc A- Yl 1 

Np^X Np^X 
fp ^2 /„ ^2 

P k <X 

□ 

Henceforth we only consider prime ideals p of H which are of degree 1. In particular, by (|5.2|) . 
ip(p) is then a prime element of Ok- 

Next we deal with the parameterization of elliptic twins. Recall that an integer z € Ok is 
primitive if it is not divisible by any d £ Z, d ^ ±1; in terms of the basis (l,w) of Ok, if 
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z = a + bu, this means that a and b are coprime. We let U denote the set of primitive elements 
in Ok modulo dbl. Note that any non-zero z G Ok can be written z = dv for some d G Z and 
some v £ U: if z = a + ba;, d = (a, 6), t> = z/d. The pair (d, t>) is unique, up to simultaneous 
sign-change. 

The norm Nu of an element u £ U is well-defined. So is the complex-conjugation (i.e. the 
action of the Galois group of K). In addition, for a A;-tuple u = (u\, . . . , u^) G U k we define the 
discriminant disc(«) to be 



(5.10) disc(u) = ]"[ 



This is well-defined up to sign so it can be thought of as an integral ideal in K. Note that, by 
primitivity, disc(n) = if and only if there exist i ^ j such that U{ = Uj (in hi) (see the proof 
of the next lemma). 

Lemma 5.7. Let T be the set of z G K of norm 1. There exists a bijection 

rj :U — >T 

given by u i— ► u/u for u G U. 

Proof. Clearly r\ maps IA into T. Moreover, r\ is injective: if r\{v) = tj(w) with v, w £W, we get 
v/w G Q (because it is Galois-invariant), so we have av = bw for some a, b G Q, (a,b) = 1. 
Because v and u> are primitive, this implies that \a\ = \b\ = 1, so v = ±w. 

It remains to prove surjectivity. This amounts essentially to finding all pythagorean triples 
(when K = Q(i)), but instead of doing it by hand, we can appeal to Hilbert's Theorem 90 for 
K/Q (see e.g. |La| VIII-6]): for z G K x , Nz = 1 is equivalent with z = w/w for some w G K x . 
Writing w = vd/e for some v G IA and d, e G Z, we have z = v/v = f](v). □ 

Note that one can write the discriminant disc(n) as a Vandermonde determinant 
disc(u) = {ui-'-Ukf- 1 Yl -rj(uj)) = (ui • • • Ukf' 1 \r]{ui) j ~ l \ y . 

l<i<j<& 

Lemma 5.8. Zei 6e an imaginary quadratic field. For integers w, z G Oi^, we /tawe 

(5.11) N(w-l) = N(z-l) 

if and only if there exists an u £ti such that w = f u (z), where f u is the linear form 

u 

(5.12) f u (z) = v (u)(z - 1) + 1 = -{z - 1) + 1. 

u 

Such an element u GU is unique. 

Proof. This is an immediate consequence of the previous lemma: (|5.11j) holds if and only if 
N((w — l)/(z — 1)) = 1, therefore if and only if there exists a u G U (which is unique) with 

w — 1 . . u 
= V [u) = -, 

2—1 U 

i.e. w = r)(u)(z - 1) + 1 = f u {z). □ 

Note that in this lemma we have w = z if and only if u = 1 and it; = z if and only if u = £. 

By (|5.3|) . it follows that if n p = n q , there exists u £ U such that VKf) = /u(^(q))- For a 
given n, since V'(p) is a prime element, this is similar to the classical twin-prime problem: the 
question is to find prime elements tt G Ok such that f u (^) is also prime (note that f u can not 
be properly defined for prime ideals). 

There are infinitely many u G Lt, but there is a (congruence) condition for f u (z) to be an 
integer when z G Ok, and this will restrict the values of u occurring in a sum like Tf : (X). 

Lemma 5.9. Let u = (ui, . . . , Uf.) G U k . For z G Ok, we have 

fui(z) G Ok for all i, 1 ^ i ^ k, 
if and only if z = 1 (mod [u\), where [u\ is the (ideal) I. cm of the elements u\,. . . , u^. 
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Proof. It suffices to treat the case k = 1, by definition of the l.c.m. Since 

/„(*) = -(*-i) + i 

u 

we have / u (z) £ if and only if r](u)(z — 1) € O/^. Since u is primitive, ii and u are coprime, 
so this is equivalent with z — 1 £ (it), i.e. z = 1 (mod it). □ 

In other words, the "twin-prime problem" for f u concerns only prime elements tt £ Ok with 
7r = 1 (mod u). 

Corollary 5.10. Lei p fe a prime ideal of H with Np ^ X. We have 

(5.13) m(p)= ^ 1. 

/»(V>(p))e£(£) 

Proof. By the above we get directly 

(5.14) m(p) = £ 1. 

new 
/ u (V(P))e£(£) 

Let z G Ok be an integer with Nz ^ X and f u (z) £ O^- By Lemma 15.91 we can write 

z = uv + 1 for some v £ Ok, 
which implies Nu ^ N(z — 1) ^ X + . Hence the result. □ 
Corollary 5.11. Let p be a prime ideal of degree 1 of H with no twin of degree ^ 2. We have 

(5.15) m(p) < 2[H : Q] ^ 1. 

fu(i[>(p)) is prime 

Proof. As in the proof of Proposition 15.31 to each prime element tt of Ok, there correspond at 
most [H : Q] prime ideals p of H with ip(p) = tt. Hence the previous corollary implies 

(5.16) m(pK[F:Q] £ 1. 

Nu^X+ 
fu(i>(p)) is prime 

Write tt = ip(p) for simplicity. For z £ Ok such that Nz ^ X and f u (z) £ 0^- we have by 
Lemma 15.91 

(5.17) z = uv + 1 for some v £ Ok, 
and 

= uv + l. 

We can use the classical trick of Dirichlet of switching divisors: remark that taking v instead of 
u in (|5.17|) leads to 

f v (z) =vu + l = f u (z). 

In particular, if f u {z) is prime, so is f v (z), hence both u and v occur together in ()5.16j) . Since 
one of them has norm si V X + = \[X + 1, the corollary follows. □ 

We now rewrite the sum T k (X). 

Lemma 5.12. Let k ^ 1. We have 

T k {x)= w + o, >k;K (xy^) 

u0A k 
Nui^X+ 

for any e > 0, where 

Tu{X) = \{p degree 1 in H \ Np ^ X,f Ui (^(p)) £ £(£) for 1 < i ^ k}\ 
foru= (ui,... ,u k ). 
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Proof. By Corollary I5.1U1 

m (P) L 



new 
/ u (^(p))eS(E) 

By Lemma 15.61 we can reduce to prime ideals of degree 1, 

T k (X)= m(p) k + 0(X 1/2+£ )- 

Np^X 
/p=l 

Expanding the fc-th power and changing the order of summation, the result follows. □ 
Corollary 5.13. Let k ^ 1. PFe have 



T k (X)« £ T+^PO+O^X 1 / 2 ^) 



/or any e > 0, where (l,u) is a (k + l)-tuple, and for any k-tuple v = (t>i, . . . , t^) we /ei 

(5.18) = |{zeOjf | Nz < X and /^(z) is prime /or 1 ^ t ^ fc}|. 
T/ie implied constant depends on e, k and H. 

Proof. Instead of Corollary 15.101 we use Corollary 15.111 note that it may well happen that p 
is of degree 1 but has a twin of degree 2 and such twins are not counted in 1)5.18(1 . but the 
contribution of such twins is trivially <C X 1 ! 2 ^ , by the same argument used in Lemma 15.61 □ 

Note that [v] = \u] if v = (1, u). 

Theorem 15.41 is a consequence of the following two propositions: 

Proposition 5.14. Let A/Q be an imaginary quadratic field, k 1 an integer and let u 6 U k 
with N[u\ ^ X. Assume that Ui ^ Uj for i ^ j (inU). Then we have 

- ' N\u] (log(X/N\u\)) k 

for X ^ 2, where 

(5.19) mu)= n (l+j^)- 

p|AT[«]disc(«) 

The implied constant depends only on K and k. 

Proposition 5.15. Let A'/Q be an imaginary quadratic field, k ^ an integer. For any e > 
we have 

L — ' TV [u| 

«eW fe 
Nu^X 

for X 2, where j(k) = 2 k — 1. T/ie implied constant depends only on K , k and e. For k = 0, 
we put, by convention, U k = {1}. 

These will be proved in Section f5.4l and 15.51 respectively. 

To finish the proof of Theorem 15. 4( let 

T k + (X)= £ T+JX) 

u<=U k 
Nu^VX+1 

split the sum T^(X) into k subsums TjT-(X), ^ j ^ k, where T^AX) is the sum of the 
T^ u j(X) for those u G U k where there are j + 1 values among the components of (l,u) i.e. the 
set {1, Ui} has j + 1 elements. 
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By Lemma 15. 131 and Proposition 15.141 (applied to the corresponding tuples (l,i)) for (j + 1)- 
tuples, we have 

T kA*)«E T L)W +xl/2+£ 

u 



Nv^X 

< X(logX) 7(j) ^- 1+£ for any e > by Proposition E33 

In the next-to-last inequality, we used the fact that if the set {1, Ui] has j + 1 elements, [u] = [v\ 
where v is any j-tuple whose components are the j elements of {ut}, and applied Proposition ^. 15l 
for j (there is a multiplicity for each v, but it is a combinatorial function of j and k only) . 

Summing over j /c, the theorem follows, since j i— ► — j — 1 = I 3 — j — 2 is increasing 
for j ^ (0 ^ —1, 1 i— > — 1, 2 i— ► 0, 3 i— * 3 . . .). The implied constant depends on fc, i^, and H. 

Remark 5.16. We conclude by justifying the assertion that Theorem 15.41 should provide the 
correct order of magnitude for Sk(X) and T^{X) as X — ► +oo (up to the (logX) e factor, see 
Remark 15. 5(1 . First, for T+(X), we are counting integers z congruent to 1 modulo \u\ such that 
the k+1 linear forms f Ui (z) take simultaneously prime values. For any u E U, we have = 1, 
hence there is no non-trivial common divisor to the values f u (z) for z E Ok, z = 1 (mod it). 
Also, if no two Ui coincide in U, the condition that f Ui (z) be prime are "independent". Thus 
the usual heuristic predict that there should be infinitely many z = l(modn) for which the 
f Ui take prime values, and moreover, each of those k + 1 conditions should be satisfied with 
"probability" l/(logJf) for Nz ^ X. 

Since the congruence condition limits the values of z allowed, this justifies that Proposi- 
tion gives the asymptotic behavior, up to the arithmetic factor (pk{u), which is very small; 
the asymptotic behavior should be 

< 5 ' 20 > T i^~'^ N m o g X)^ 

as X — » +oo, for some (more complicated) arithmetic function c(u) ^ 4>k(lL)- Any other 
heuristic confirms this, of course; that based on cancellation in long averages involving the 
Mobius function could in theory provide a prediction for the value of c(u) as an Euler product. 

If it seems reasonable to expect that (|5.20(l holds, one may also expect that it does uniformly 
at least in a range N[u\ ^ X s for some 5 > 0, and this would provide a lower bound for T + (X) 
of the same order of magnitude. 

The reader will easily convince herself that all other overcounting done in deriving Theo- 
rem should have at most the effect of introducing a multiplicative constant: this includes 
the step from Frobenius elements T,(E) to all prime elements in K and the overcounting used 
in the proof of Proposition 15.151 (because of the logarithmic scaling of that sum). 

5.4. Twin-primes in quadratic fields. In this section we prove Proposition 15.141 The argu- 
ment is cleaner when the ideal [u\ is principal: the reader may assume that it is so in a first 
reading. 

Apart from the fact that we work over a quadratic field, the problem is quite standard, and 
the proof will be close to, for instance, the arguments in |Bol §3]. 

We will use the large sieve for K, in the version given by Huxley |Hul Th. 2]. First some 
notation: for an integral ideal n of K, we denote by (Oi^/n) v the group of additive characters 
of Ok/xi. We write 



E 
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for a sum over the primitive characters of i.e. those which are not induced by a character 

modulo m for some m dividing n. Also we denote by 

E a « 

n 

a sum over squarefree ideals n. 

We define the height of z G Ok by 

h(z) = max(|a|, 
for z = a + bu). There exists a constant k > such that 

(5.21) Nz < X implies h{z) < kVx for X > and z G Ox 
(one can take k = 2 for all if if the basis (l,u>) is the "canonical" one). 
Theorem 5.17. (Huxley) Let K/Q be an imaginary quadratic field. We have 

(5.22) E E* | E a(^modn)| 2 «(X 2 + Q 2 ) £ |a(z)| 2 , 

where (a(z)) is any sequence of complex numbers, Q and X are any real numbers ^ 1. The 
implied constant is absolute. 

From this, proceeding as in |Bo| Th. 6], we derive an arithmetic sieve result: a sieve here is 
a pair (M, f2) where 

M = {z G O k I h{z) < X} 

for some X ^ 1 and f2 is a map which associates a subset fJ(p) ^ ^/P to- prime ideals p with 
norm Ap ^ Q. We denote w(p) = |f2(p)|. The corresponding sifted set is 

(5.23) M = {z | ^ I and z (modp) g 0(p) for all p}. 
Corollary 5.18. Let K/Q be an imaginary quadratic field and (M, fi) a sieve. We have 

|M| « 

Nn^Q p\n 
for n squarefree. The implied constant is absolute. 

We will apply Corollary 15. 181 to the situation of Proposition 15. 14l 

To setup the situation, we use the ideal-class group of K. Let a = \u\, let bo be an integral 
ideal of K with minimal norm in the ideal class inverse to that of a, say 

obo = (do) for some ao 6 Ok- 

If z G Ok satisfies z = 1 (mod a), there exists an integral ideal b such that 

(z - 1) = ob 

and since (z — 1) is principal, b and bo are in the same ideal class, i.e. there exists b G K x such 
that 

(5.24) b = 6b , hence (z - 1) = (a b). 

Since b is integral, the denominator of b is bounded (by that of Abo), i- e - there exists do G Z, 
independent of z and with do | Abo, such that b = c/d$ for some c G 0^. 

Hence, using (|5.24j) . there exists a unit e G 0£ (a finite group of order ^ 6) such that 

(5.25) z = e^ + l. 

d 
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Therefore 

(5.26) T+(X) < V \{c£O k | js = + 1 satisfies N(z) < X and / Ui (» is prime} |. 

— * — ' an 

By (|5.25j) and the definition of an, do, if Nz ^Iwe have 

r/ 2 X+ 

(5-27) iVc < < ±-. 

y 1 Na Na 

For e £ O k , consider the sieving problem (M, f2 e ) consisting in sieving the set 

M = {z £ O k I h{z) < K(y/(X + 1)/Na)} 



(where k is as in (|5.21j) ). by prime ideals p with Np ^ y/X/Na, with £l e (p) defined as follows: 
let 

(5.28) fi+(p) = {-^- | 1 < i < fc} C (0 K /P) 

euido 

(with the convention that any ratio where the denominator is modulo p is omitted) , and define 

n £ (p) 



n+(p) i£\Q+(p)\=k 
otherwise. 



Lemma 5.19. Let M. E denote the sifted set for the sieving problem above. We have 

T+(X) <£|AU 

£ 

This is an immediate consequence of the previous inequality Q5.26|) , (|5.21|) and the definition of 
the sieve (one could of course be more precise and not disregard the primes p with |0 + (p)| < k). 

Lemma 5.20. We have oj e (p) = if and only if 

p | N\u\ disc(u) 
where the discriminant is defined in h5.1U\) . 

Proof. This is clear: the factor N[u\ = Na arises from the possibility that the denominators 
in (|5.28f) are divisible by p, whereas the discriminant occurs from the possibility that 

XL' XL ' 

— = rr- (modp) i.e. UiUj — UiUj = (modp) 

for some i ^ j. □ 
Note that disc(n) ^ in the application to Proposition 15.141 since no two Ui coincide. 
By Corollary 15.181 we deduce that 

(5-29) T+(X) « 1 A 

— J iVo 

for X ^ 2 with an absolute implied constant, where 

Nn^y/X/Na+l P '" 
(n,disc(M)A r o)=l 

Note that n i— > J(n) is an arithmetic function that depends only on k, not on u. 

It only remains to find a lower bound for J to get an upper bound for T+(X); the only issue 
of note is the uniformity in u. All the arguments below are standard (see e.g. |HR[ Th. 2.4]), 
but by lack of a convenient reference, especially in the context of a number field, we give all 
details. 
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For n squarefree we have J(n) ^ J (tl), where J^n) is the totally multiplicative arithmetic 
function on integral ideals of K such that 

\k/Np otherwise. 

Therefore 

(5.30) Yj jb ( n )- 



TVn^X/iVci+1 
(n,disc(u)Afo)=l 

We consider the generating series 

z(s) = Y^J b (n)(Nn)- s = J] (l + kiNp)-*- 1 ) 

n Np>k' 2 

which converges absolutely 8 for Re(s) > 0, and the closely related 

w(s)=^j\n)(Nnr s = J] (1 - fc^)— 1 )- 1 

n Np>k 2 

which also converges absolutely in the same region. 
Lemma 5.21. There exists a Dirichlet series 

y(s) = YY(n)(Nn)- s 

n 

such that 

(5.31) z(s) = y(s)w(s), 

and y(s) converges absolutely for Re(s) > —1/2. 

Proof. This is clear by comparing the Euler factors of z(s) and w(s), using the fact that the 
zeros of 1 - k(Np)- 8 - 1 have Re(s) < -1/2 for Np > k 2 . □ 

Lemma 5.22. There exists a constant c > such that 

^ An) = c(logY) fe + 0((logy) fc - 1 ) 

Nn^Y 

for Y ^ 2. 

Proof. This is obvious by comparison of w(s) with Ck(s + l) fc , which has a pole of order /c at 
s = 0, and contour integration: we have (as in Lemma l5.21|) 

w(s) = (k(s + l)wi(s) 

for some Dirichlet series wi(s) which converges absolutely in the region Re(s) > —1/2. □ 

Lemma 5.23. Let T(n) be a completely multiplicative arithmetic function of integral ideals of 
K such that: 

(i) There exists A > such that 

{P1 " Np 

for all prime ideals p. 

(ii) There exists c > and 7 > such that 

Y T(n) = c(logY)~< + QdlogYr- 1 ) 

Nn^Y 

for Y ^ 2. 



In particular, has no zero. 
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Fix an integer B ^ 1. Then for all Y ^ 2 and a// non-zero integral ideals q suc/i £/ia£ 
Nq < Y B , we have 

E T(n) = (log y)T(j>(i>)r(i>)) +o((iogyr 1 (iogio g y)^), 

JVn^y 0|q 
(n,q)=l 

the implied constant depending on A, B and 7. 

In this statement and in the proof, we use d(n) (resp. /u(n)) to denote the divisor function 
(resp. Mobius) function for integral ideals. The latter is defined as usual (i.e. fi(p k ) = (— l) fc 
for any prime ideal p and k ^ 0, and \i multiplicative). The Mobius inversion formula holds: 



5>oo = 

0|n 



1 if n = 1 

otherwise. 



We will use the following easy estimate 



(5.32) ) «(loglogiVny 

p|n 



for all non-zero integral ideals n. The implied constant depends only on A. 
Proof. We have by Mobius inversion 

E T(n) = £ r(n5) 

JVn^y 0|q Afn^y/AfO 

(n,q)=l 

= E MWJ) E r(n) + o(y^ +£ ) 

0|q Nn^Y/NT) 
Nt)<Y s 

for any (fixed) 5 > and e < <5, having used the complete multiplicativity, and (i) and (ii) to 
estimate the remaining sum over large divisors of ./Vq: 

E E T(n)<<fe^E^) A 

0|q Nn^Y/NV 0|q 



(iogy) 7 

y 5 



« ^t^(1) A+1 



(by the assumption Nq ^ y 6 ). The implied constant depends on e, A, B and 7. 
Using again (ii) we have 

E mm E T ^ = c E ^^((log^'+^aogyr 1 )) 

0|q Nn^Y/NT) | q 

Afo<y a A f o<y 4 

= c (io g y) 7 E /"(f)r(3) + o((iogy) 7 - 1 (iogiogy) A ) 

0|q 
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by expanding the logarithm and estimating 



(logyf- 1 ! ^)T(V)\^(logYr- l l[(l + T(p)) 

NQ<Y S 



< (logy)^ 1 1[ (l + A) «A (loglogiVq) A 

P|q P 

<a,b (io g io g y) A 

by (prm 

It remains to get rid of <5, which is possible since 

Y ^(f « y~ 5 « y~ a+e . 

Choosing 5 small enough and e < 5, the lemma follows. □ 
We come back to 1)5.30(1 and write, using (|5.31|) 

E' Jb ( n )= E y ( m ) E Jb w- 

Nn^Y Nm^Y Nn^Y/Nm 

(n,disc(«)Afo)=l (m,disc(u)ATo)=l (n,disc(«)iVo)=l 

To the inner sum we can apply Lemma 15.231 with q = disc(u)iVa and 7 = k: the assumptions 
hold for some A, B and 7 = k by Lemma 15.221 Therefore 

E' J\n) = c Yl Y( m ){log(Y/Na) k + 0((logY) k - 1 (loglogY) k )) 

Nn^Y Nm^Y 
(n,disc(;u)7Va)=l (m,disc(ji)iVa)=l 

(5.33) =c(logy) fe ( Y M^OO) Y 

0|disc(«)iVa Nm^Y 

(m,disc(u) N a)=l 

+ o((iogy) fc - 1 (io g io g y) fc ), 

by again expanding the logarithm, and using the fact that for any B ^ the series 

^y(m)(logiVm) B 

m 

is absolutely convergent. Now apply the following lemma to y(m) and q = disc(u)iVa: 

Lemma 5.24. Let Y(n) be a multiplicative arithmetic function, y(s) its generating Dirichlet 
series. Assume that the Euler product for y{s) converges absolutely for Re(s) > —1/2. Then 
for any non-zero integral ideal q we have 

Y 

Nm<^Y 
(m,q)=l 

for X ^ 2, the implied constant depending only on the function Y . 

Proof. By a standard application of contour integration and Perron's formula. The size of q 
does not matter here because the sum always involves m = 1, with a contribution = 1. In 
slightly more detail: it is well-known (see e.g. |Ti-2| ]) that 



2iw Jx_ iT s VT|logy| 
for all y > and T > 0, where h(y) = 1 for y > 1, h(y) = for y < 1 and h(l) = 1/2. 
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Let Uq(s) be the generating Dirichlet series of Y(m) restricted to those m coprime to q. 
Choosing X of the form 1/2 + m for some integer m, as we may without loss of generality, we 
have 

i r l+iT j 

(5.34) y,W-= £ r(») + 0(xr>) 

(m,q)=l 

since 

^iVm|log(X/iVm)| < +0 ° 

(use the absolute convergence of J2^( m ) an d I A r m(log X/Nm)\ » 1). 
On the other hand, by Cauchy's theorem we have 

(5.35) ^.^(.^.^o) 

where C is the boundary of the rectangle [—1/4,1] x [—T,T]. By absolute convergence, the 
integral on the horizontal pieces and on the vertical line Re(s) = — 1/4 are 

l-tt r-l/A+iT r 

+ y q (s)X°™} « XT- 1 

/4-iT Jl+iT s } 

± y q (s)x^«x-^ 
2m y_i/ 4 _ iT S 

the implied constant depending only on Y. Hence (|5.34p and ()5.35|) show that 

^ y (m) = y q (0) + OiXT- 1 ) + O^" 1 / 4 ). 

(m,q)=l 

Taking T = X 2 for instance gives 

]T y(m)»y q (0) 

JVmsCX 
(m,q)=l 

the implied constant depending only on Y. 

Since y q (0) is the same absolutely convergent Euler product as y(0), except that primes 
dividing q are omitted, and any partial product of an absolutely convergent infinite product has 
a uniform lower bound, it follows that 

2/q(0) > 1, 

thereby proving the lemma. □ 
Since moreover 

Mf)Af)= n i 1 - jb (p)) > °. 

0|disc(u)ATa p|disc(u)7Va 

because J b (p) < 1 for all p (this is why small primes had to be excluded), the inequality (|5.33f) 
proves that 

(5.36) J» (1-J b (p)) 

p[disc(tt)iVa 

the implied constant depending on k and K only. 
Lemma 5.25. For all p we have 

k 



Proof. This is obvious from the definition. □ 
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Proposition 15.141 follows from (|5.29[) . (|5.36f) and this lemma. 

5.5. Proof of Proposition 15". 151 In this section we prove Proposition 15.151 For k = 0, the 

result is obvious with no need of the factor (logX) £ , since the sum is reduced to u = 1. So we 
assume k ^ 1. 

We have by lt5~32|) 

<j> k (l,u) « (loglogX) fc 
with an absolute implied constant, hence by positivity 

(5.37) £ M!^ <<(loglorfE ^ 

u&A k n ^ xk 
Nu^X 

for X ^ 2 (the constant depending only on k), where p(n) is the arithmetic function defined by 

(5.38) p(n) = \{(u%, u n ) ideals in Ojc \ N[ui, . . . , u n ] = n}\. 

Thus we drop the condition that the Ui be integers or primitive, and drop the size condition 
Nui ^ X on the solutions of N[u\ = n, and this shouldn't change the order of magnitude 
because of the logarithmic weight. 

The arithmetic function p(n) is multiplicative. 

Lemma 5.26. Let n ^ 1 be an integer. We have 

p{n) ^ d{n) 2k 
where d(n) is the function "number of divisors". 

Proof. In (|5.38|) . Nui \ n for all i, so there are at most d(n) k choices of (Nu\, . . . , Nuk), and for 
each of those there are 

r(Nm) ■ ■ ■ r(Nu k ) ^ r(n) k ^ d{n) k 
choices of (u\, . . . u^). □ 

Lemma 5.27. Let p be a prime number. We have 

p(p) = (l + X (p))(2 k -l). 

Proof. We have N[u%, . . . , Uk] = p if and only if 

(5.39) [m, ... ,u k ] = 7r 

where ir is an ideal such that Nir = p. 

For a given ir, the solutions u of Nu = p correspond bijectively to /c-tuples of integers 
(yi, . . . Uk) such that 

Ui = TT % 

with ^ v% ^ 1 and at least one of the z/j is = 1. The number of such tuples is equal to 2 k — 1 
(all tuples except (0, . . . , 0)). 

The number of solutions of Nir = p is 1 + x(p) f° r an primes p, and the lemma follows. □ 

Proposition 15.151 is a consequence of (|5.37j) and Lemmas 15.261 and 15.271 applying to p the 
following very standard result (compare Section [5.4)1 applied with 7 = 2 k — 1. 

Lemma 5.28. Let p(n) be a multiplicative arithmetic function satisfying: 

(i) There exists A > such that 

(5.40) p(n) ^ d(n) A for all n^l, 

(ii) There exists an integer 7 such that for all primes p we have p(p) = 7(1 + x(p))- 
Then there exists c > such that 

p{n) 
n 
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as X — ► +00. 
Proof. Let 



•z(s) = > p{n)n ~ s 



be the Dirichlet generating series of p. By (i), the series converges and defines a holomorphic 
function for Re(s) > 1. By multiplicativity, z(s) has an absolutely convergent Euler product 
expansion 

Z ( S )= j] ( i + 2 7 ^ +/3 (p 2 )p- 2s +---) n (i+7P- s +...) n (i+p(p 2 )p- 2s +...)• 

x(p)=i x(p)=o x(p)=-i 

Hypothesis (ii) implies that one can factorize 

= GfO) 7 ^iO) 

where 21 (s), first defined by this equation for Re(s) > 1, admits analytic continuation to a 
holomorphic function on Re(s) > 1/2. Indeed one has 

ck( S )= n (i-2p- s +p- 2s r i n {i- P - 2s r\ 

x(p)=i x(p)=-i 

so the products over split and inert primes already converge for Re(s) > 1/2, while the coefficient 
of p~ s in the p-Euler factor for z\(s) vanishes. 

Since Ck(s) has a simple pole at s = 1, it follows that z(s) has a pole of order 7 at s = 1, so 
a standard contour integration proves the lemma. □ 

For k = 1, we can easily get rid of the annoying factor log log X, as mentioned in Remark 15 .51 

Proposition 5.29. We have 

/or X ^ 2, £/ie implied constant depending only on K. 
Proof. We allow ourself to be a little sketchy: we have 

0i(i,«)= n (i+^p)- 1 ). 

p|7V«(«-«) 

Assume K = Q(V — 4D) with 4D a fundamental discriminant 41? = (mod 4) so that (1, y/—D) 
is a Z-basis of Ok (the remaining case being similarly treated) and N(a + by/—D) = a 2 + D6 2 . 
By trivial estimate, we have for u = a + b\J —D 

An w WD) Ma 2 + D&) 
M1 ' U) ^ 2D a* + Db* T ' 
(recall ^ is defined in (|2.1()|) ). Hence 

\ - <MM) < 2 v V V 1 

^ iVu ^ ^ d ^ b a 2 + Db 2 ' 

Nu ^ X d\a 2 +Db 2 

The contribution of b = is <C 1 (since d \ a 2 and d squarefree imply d \ a). For \b\ ^ 1, in the 
inner sum we write a = da\ + a for some a, ^ a < d, such that a 2 = —Db 2 (mode?). For given 
a, by partial summation, the inner sum over a\ is easily seen to be <C (bd^/D)^ 1 , uniformly in 
a. The result then follows since the number of a for a given squarefree d is at most the number 
of divisors of d, and 

E ipCb) , , v-^ d(nWn) 2 

« lo § x ' and E n2 < +°°- 

6<(X/D)1/ 2 "^1 

39 



□ 



Extending this kind of argument for k ^ 2 might be possible although certainly cumbersome 
since the various Ui would become mixed up together. The issue is whether disc(u) can have 
too often too small prime factors, and doesn't seem completely trivial. 

5.6. The elliptic splitting problem. Because the condition d \ d\(p) is equivalent to the 
congruence o~ p = 1 (modcf) in the endomorphism ring of E, we can again apply sieve to obtain 
a Brun-Titchmarsh inequality for totally split primes in K(E[d\) for a CM curve. In particular, 
the extension K(E[oo])/K is a Brun-Titchmarsh field for a CM curve. 

Theorem 5.30. Let E/H be a CM curve with complex multiplication by an order O of a 
quadratic field K/Q, and H' = H(E [00]) its division field. Assume that H contains K . Then 
H'/H is a Brun-Titchmarsh field corresponding to the restriction of scalars G — Resjp ii 1 {G m ) . 

First remark that the extension H'/H enters in the setup described in Section fe.Sl for the gen- 
eral Brun-Titchmarsh problem, because of part 1. of Theorem 12 . II and the general ramification 
properties of E[d]. 

Proposition 5.31. Let H be a number field, E/H an elliptic curve with CM by an order 
O C K C H and let d^ 1 be an integer. We have 

7T E (X;d,l) « [H : Q] — — ^ 

for d ^ X, where the implied constant is absolute and ^po(d) = \ (0 /dO) x \. 

This proposition clearly implies the theorem since Ga\(H(E[d])/H) is of bounded index in 
G{Z/dZ) = (0/dO) x . In turn, since p is split in H(E[d])/H if and only if the Frobenius tp(p) 
satisfies ip(p) = 1 (mode?), it follows immediately from Lemma 15.21 and the next proposition: 

Proposition 5.32. Let K/Q be an imaginary quadratic field. Then 

X 



Tr K (X;d, 1) <^. K 



cp K (d)(logX/d 2 ) 
the implied constant depending only on K . 

Proof. This is almost a (simpler) special case of Proposition 15.141 (for k = 1 with d instead of 
u; it is not included in that Proposition since the latter assumes u Z), so we can be very 
sketchy. One applies the large sieve, as in Section l5~H to sieve 

M = {z e O k I h{z) ^ y/X/d] 



by primes p with iVp ^ yX/d = Q, with f2(p) = {— 1/d (modp)}, if p does not divide d and 
f2(p) = otherwise. By Corollary 15. 181 we derive 

n K (X;d,l) « — 

with 

j=t n j^-r 

Nn^Q p|n 
(d,p)=l 

Evaluating this sum in the usual manner, the result follows. □ 

Note the following simple corollary of Theorem 15.301 for the elliptic splitting problem, which 
is still not very strong however (recall the expected order of magnitude is X). 

Corollary 5.33. Let E/H and K be as in the proposition. We have 

S E (X;d 1 ) «. E X (log X) 1 ' 2 

for X ^ 2. 
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Proof. We split the sum 

S E (X;d 1 )= Yl <f(d)7r E (X;d,l) 

in two ranges d ^ B and B < d ^ \fX + 1 where B = {yX-\- 1)/-A for some A ^ 1 to be chosen 
later. In the first range, applying the Brun-Titchmarsh inequality yields 

x ^ <p(d) 



£ <p(d)*E(X; d, l) « E 2 E 

d^B & ' d^B 

.log(VX/A) 



log A 

In the other range, we use instead the trivial bound coming from Lemma 15.21 and overcounting 
all integers z E Ok instead of only prime elements, which gives 

ir E (X;d,l) <. K [H : Q]\{z £ Ok \ Nz ^ X and z = l(modd)}| <. K [H:Q](^ + 1 



Hence 



£ ¥>(d)7r B (X;d,l) < K [H:Q]X ^ ^ < K [H : Q]Xlog A 



We now choose ^4 = exp(^/logX) and it follows that 

5 B (X;di) « £ X(logX) 1/2 , 

as desired. □ 

Remark 5.34. The Brun-Titchmarsh property and the Bombieri- Vinogradov Theorem in K can 
be used to prove a (weak) lower bound 

s E {x- dl) » E x 1 ^- 

logX 

(better than the trivial lower bound Xj log X arising by taking the single term d = 1 in 1)3. 2 Jl 
only by log log X). The factor (p(d) is the reason of the difficulties in the direction of lower 
bounds. 



6. Local study of totally split primes 

We now change the point of view, motivated by the considerations of the previous sections. 
We wish to understand, given d ^ 1, for which finite fields F q there does exist some elliptic 
curve E/F q with d\{E) = d, or more generally with its d-torsion points rational over F q . In 
the cyclotomic case the answer is simple: F q contains all the <i-th roots of unity if and only if 
q = 1 (mod d) . And the analogue of d\ is the largest d for which all d-th. roots of unity are in 
F q , therefore it is simply q — 1. 

We will first study this question using the methods introduced by Deuring jDej . The results 
can also be extracted from papers of Schoof |Sc-2j . Howe |Hoj . Tsfasman-Vladut (and maybe 
others I have not seen). But those are written with a slightly different emphasis. Then we recover 
similar results using modular curves and the trace formula, before giving some applications. 

6.1. Results using endomorphism rings. We first deal quickly with the case of supersingular 
elliptic curves. 

Proposition 6.1. Let E/F q be a supersingular elliptic curve over a finite field with character- 
istic p. We have 

(6.1) d 1 (E)^2 
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unless E satisfies a(E) 2 = Aq, in which case 

(0.2, *<*>=H + i VSrtf 

Proof. All this is contained in jSc-21 Lemma 4.8] for instance, but most of it is easy to see. For 
instance, if a(E) 2 = Aq (so q is a square) the Frobenius a is a solution of the quadratic equation 
X 2 — a(E)X + q = 0, which has the double root G Z (with sign chosen has in the statement 
of the proposition). So a— 1 G Z C End(-E), and Lemma 12.61 implies (|6.2j) . 

For the other cases, it is known that a(E) 2 = q, 2q or 3g, or a{E) = 0. If a(E) = (the only 
possibility over F p ), for instance, the congruence a(E) = 2 (mod di(E)) proves (|6.1|h Similarly 
in the other cases the congruences of Lemma |2.6I either prove (|6.1jh or a weaker bound like 
d\{E) ^ 4, which will suffice here (see |Sc-2| Lemma 4.8] for complete details). □ 

This has the following global corollary which shows that supersingular primes have a small 
contribution to (j3,l[) . 

Corollary 6.2. Let E/Q be an elliptic curve. We have 

(6.3) dl ^ < - E \^~x i f EhasCM 

a p (E)=0 

(6.4) d 1 (E)<^ E X 3/4 otherwise. 

a p (E)=0 

for all X ^ 2, the implied constant depending on E only. 

Proof. If E has CM, the number of supersingular primes p ^ X is well known to be (see 
e.g. [IT]) ~ X/(21ogX), while if E doesn't have CM, Elkies [ETj has shown that the number 
of supersingular primes p < X of E is X 3 / 4 . Since di(p) ^ 2 by Proposition 16.11 the result 
follows. □ 



Remark 6.3. In the non-CM case, Serre's proof |Se-4j that the number of supersingular primes 
^ X is o{Xj log X) suffices to show that 



X 



AogX 

a p {E)=0 



as X — ► +oo. 



From now on we assume that E/F q is an ordinary elliptic curve over a finite field with q 
elements. We let O = End(i£), K the field of fraction of 0, Ok the ring of integers of K. Let 
a G O be the Frobenius endomorphism of E. The main tool to find d\(E) is Lemma 12.61 

Lemma 6.4. Let d ^ 1 be an integer. We have d \ a —1 in Ok if and only if a(E) = 2 (mode?) 
and n(E) = q + 1 - a{E) = (mod d 2 ) . 

Proof. Let a' = (a—l)/d G K, so d \ a — 1 in Ok if and only if a' G O^. But since a' G" Z, 
since is ordinary, its minimal polynomial over Z is 

<*_✓)(*-;?)=*• -2^*+=^. 

Hence the result since 0^ is the integral closure of Z in K. □ 



We can check that this gives back the other congruences. 
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Lemma 6.5. Let a, q ^ 2, d 1 be integers such that 

a = 2 (mod <i) 
g + 1 - a = 0(mod(i 2 ). 

T/ien g = 1 (mod d) and a 2 — 4g = (mod (i 2 ). 

Proof. We have modulo d 

0=g+l-a=g+l-2=g-l 

and modulo (f 2 

a 2 - 4q = (q + l) 2 - 4q = (q - l) 2 = 0. 

□ 

Lemma 6.6. Let E/F q as before. We have d\ a —1 in Ok if and only if a 2 — 4q = (mod d?) 
and n(E) = (modoP). 

Proof. Let again a' = (<r — l)/<i G -ftT. In terms of a' , the two assumptions are 

jV(o--l) = d 2 Na' = 0(modd 2 ) 
( CT -a) 2 =d 2 (cr / -^) 2 = (mod d 2 ), 

hence we see that N a' £ Z and (cr ; -o"') 2 G Z. 

The latter is also (cr'+o 7 ) 2 - 4A^a', hence we deduce that (Tr a') 2 G Z. Since Tr(cr') G Q, it 
must be an integer, hence the result. □ 

Those easy results give a good handle on the condition d \ a —1 in Ok ■ The problem is that 
O is in general a proper order in Ok- However, the necessary congruence conditions are also 
sufficient "up to isogeny" . 

Proposition 6.7. Let F q be a finite field with q elements, d ^ 1 an integer coprime with q. 

There exists an ordinary elliptic curve E/F q with E[d] C E(F q ), i.e. d\ d\{E), if and only 
if there exists a G Z such that 

I\a\ < 2^q 
(a,q) = l 
a = 2 (mod d) 
q + l-a = 0(modd 2 ). 

For the proof we need some results which are part of Honda- Tate theory for elliptic curves 
(which goes back to Deuring) , and others due to Waterhouse |Waj concerning the endomorphism 
rings of elliptic curves over finite fields. 

Theorem 6.8. (Deuring, Honda, Tate) Let F q be a finite field with q elements. Given an 
integer a such that \a\ < 2^/q and (a,q) = 1, there exists an ordinary elliptic curve E over F q 
with a(E) = a. 

See for instance |Wal Th. 4.1]. 

Theorem 6.9. (Deuring, Waterhouse) Let F q be a finite field with q elements, a an integer 
with \a\ < 2^fq and (a,q) = 1. Let K = Q(a/ a 2 — 4g) and let O be an order of K. There exists 
an ordinary elliptic curve E/F q with a(E) = a and End(-B) = O if and only if O contains the 
roots of 

X 2 - aX + q = 0. 

See US] Th. 4.2 (2)]. Note that this second result requires Tate's Theorem identifying 
relating isogenies between elliptic curves with Galois-invariant maps between their i'-adic Tate 
modules, (£, q) = 1. 
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Proof of Proposition \fTl\ The condition is necessary. Conversely, if a exists as described, The- 
orem shows that there exists E/F q with a(E) = a and End(-E) = Ok, where K is the 
imaginary quadratic field K = Q(\/a 2 — 4q). 

The congruence conditions on a{E) and n(E) then mean (Lemma I6.4j) that d \ a —1 in 
O k = End(£0, hence d\d l (E). □ 

Remark 6.10. If q = p ^ 5 is prime, one can remove the condition (a,p) = 1 on a from the 
statement of the proposition. Indeed, if p \ a, we have a = 0, and since a = 2 (modd), the only 
values of d occurring are d = 1 and d = 2. But those can be obtained from ordinary elliptic 
curves: d = 1 by any E, and d = 2 by a Legendre curve 

E\ : y 2 = x(x — l)(x — A) 

(which always has 2 | di(E\)) for some A G F p — {0, 1}. Indeed, the condition that E\ be ordinary 
is equivalent (see e.g. |Si-ll V-4]) to H p {\) ^ 0, where H p is the Hasse-Deuring polynomial 

(p-l)/2 -i \ /r)\ 2 

j=o v J 7 

Since ^ deg H p = {p—l)/2 < p — 2, there is a A G F p — {0, 1} which is not a root of H p , hence 
a corresponding ordinary E\ with 2 | d\(E\). 

On the other hand, if q is a square, let d = yfq + 1. Then d satisfies all the assumptions 
of Proposition 16.71 with a = —2^/q, except (a, q) = 1. But this is the only value of a{E) for 
which one could have d \ d±(E), and it corresponds to supersingular curves, so that in general 
(a, q) = 1 is a necessary assumption. 

In applications, we are interested in the invariant d\(E), and d = d\{E) means not only 
E[d] C E(F q ), but also that no larger d (coprime with q) satisfies this. However, Proposition 16. 71 
remains true with d = d\{E) instead of d \ d\{E) in the conclusion. 

Proposition 6.11. Let E/F q be an elliptic curve over a finite field with d\(E) = d. For every 
5 | d, there exists an elliptic curve E' /F q which is F q -isogenous to E and satisfies di(E') = 5. 

Corollary 6.12. Let F q and d ^ 1, (d, q) = 1, be as above. There exists an ordinary elliptic 
curve E/F q with d\(E) = d if and only if there exists a G Z with \a\ < 2yjq, (a,q) = 1, and 
such that 

{a = 2 (mod d) 
q+l-a = 0(modd 2 ). 

Proof of the proposition. Write d = 55' . We have, with the same notation as usual, a' = 
(a-l)/d £ O. It suffices to find a smaller order O' C O with 5' a' = (a -I)/ 5 £ O' but 
for which there is no e > 1 with 5' a' je G O' . Then, since a G O', Theorem 16.91 shows that 
there exists E'/F q , isogenous to E (hence ordinary), with End(£") = O' . Then di(E') = 5 by 
construction fLemma l2.6|) . 

To construct C, we write O = Z © wZ (see |Cox| 7-A]), and correspondingly a 1 = m + nu, 
for some m, n G Z. So 5' a' = 5'm + 5'noj. Let O' be the order Z © cnujZ of K. Then 5' a' G O', 
but for any e ^ 1, we have 

5' a' m5' 5'nuo 
= + 

e e e 

and for this to be in O' we must have e = 1, showing that O' satisfies the conditions required. □ 

Remark 6.13. Over the base field F p , it is again possible to remove the condition (a,p) = 1. 
Putting back supersingular curves, the following statement holds: 

Let d ^ 1 be an integer. There exists an elliptic curve E over F p with d\{E) = d if and only 
if there exists a, |a| < 2y/p, such that 

{a = 2 (mod d) 
p + 1 - a = (modd 2 ). 
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In particular, this is always true for d = 1 and d = 2 (the latter for p ^ 5). 

Remark 6.14. As a side remark and pretext to mention another interesting problem of analytic 
number theory, the case d = 1 can be studied purely analytically from Theorem 16.81 and the 
distribution of squarefree numbers in short intervals. Indeed, if a ^ is such that p + 1 — a is 
squarefree, any elliptic curve E/F p with a{E) = a must have d\(E) = 1. Hence the existence of 
such an E (for p large enough only, however) follows from any "non-trivial" estimate for error 
term in the asymptotic formula for the number of squarefree numbers n ^ X 

J2\Kn)\ = ? ^X + 0(X 9 ) 

as X — > +oo, with 9 < 1/2, since this implies in particular 

Y, MP+l-a)l>0. 

\a\<2^p 

The value 9 = 1/2 is easily obtained, any improvement requiring non-trivial cancellation in 
some exponential sums. See for instance |G!K| p. 46] where it is shown that 9 = 4/9 + e is 
possible, for any e > 0. 

6.2. Results using the trace formula. The criterion obtained in Corollary 16.121 is quite 
convenient. However, from our point of view, it is more natural to fix a prime p (or prime 
power) and look for which d \ p — 1 there exists E/F p with d\{E) = d. 

A criterion of that type arises naturally if we use, instead of endomorphism rings, the theory of 
modular curves and the Eichler-Selberg trace formula. Although Corollarv l6.12l and E.emark l6.13l 
would suffice for the applications in the next section, this approach is sufficiently independent 
and instructive to be included here. 

Theorem 6.15. Let p be a prime number, d \ p — 1 an integer. Write d = ef with (e, 2) = 1, 
f | 2°°. There exists E/F p with d\{E) = d if and only if there exists a with \a\ < 2^/p such that 

(1) We have e 2 \ a? — Ap; 

(2) If f ^ 1, there exists e = ±1 (mod /) such that e 2 — ae + p = (mod f 2 ). 

We need some geometric preliminaries. For any integer d ^ 1, there exists a smooth affine 
curve Y(d) naturally defined over Q(/^ d ), with good reduction at all primes p \ d, which is a 
coarse moduli scheme for "elliptic curves with a d- level structure" (see Ka.\hi| or |DE,j ). Over 
C, Y(d)(C) is the "usual" quotient 

r(d)\H 

of the upper half-plane by the principal congruence subgroup 

r(d) = {ge SL(2, Z) | g = 1 (mod d)}. 

Moreover, Y(d) has an integral model over the ring of integers Z[/x d ] of the cyclotomic 
field Q(n d ). Notice that p = l(modd) means that the p is totally split in this field, hence 
Z[fj, d ]/(p) ~ (F p ) v( - d \ The above "moduli scheme" sentence implies in particular (see |DR1 VI- 
3]) that for p = 1 (modd), it is the same to give a point in Y(d)(F p ) as to give a pair (E, (e\, e^)) 
of an elliptic curve E/F p together with two F p -rational points of order d, e\ and e2, such that 
the Weil pairing <e±, e2> is equal to a fixed primitive d-tb. root of unity (these pairs taken up to 
isomorphism). In other words we have (see also |Hoj for a description of other modular curves 
over finite fields): 

Lemma 6.16. Let p be a prime number, d ^ 1 an integer such that d \ p — 1. Then there exists 
E/F p with E[d] C E(F p ) if and only ifY(d)(F p ) ^ 0. 

We are thus reduced to finding points on the curve Y(d) over the finite field F p . 
The curve Y(d) has a natural compactification X(d), which over C amounts to adding the 
cusps to H before taking the quotient by T(d). The projective curve X(d) has also good 
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reduction at all p not dividing d (and a moduli description in terms of "generalized elliptic 
curves" ) . 

For p a prime of good reduction, the local zeta function of X(d) 

\X(d)(F p 
n 

is, by general results (due to F.K. Schmidt in this case of curves over finite fields), a rational 
function of the form 

where is a polynomial of degree 2g(d), g(d) being the genus of X(d). From this and the 
definition of Z(X(d),p), one can deduce immediately that 

\X(d)(F p )\=p+l-Y,<Xi 

i 

where 

2g(d) 

Pd = n i 1 -^)- 

i=i 

The point of using the compactified curve X{d) is that we have the following consequence of 
the computation of the zeta functions of modular curves by Shimura ( Sh-11 §7.5]). 

Theorem 6.17. Let d ^ 1 be an integer, p = 1 (modd) a prime number. We have 

\X(d)(F p )\ =p+l- Tr(T p \S 2 (T(d))), 

where the last term is the trace of the Hecke operator T p acting on the space S2(T(d)) of weight 
2 holomorphic cusp forms for the congruence subgroup T(d). 

More precisely, Shimura's result gives the zeta function for models of X(d) over Q, of which 
there exist several; but all give the same X(d) over Q(/x d ), hence the result since we consider p 
totally split in Q(/x d ). 

The Eichler-Selberg trace formula gives an expression for the trace, which one may use to 
find when X(d)(F p ) ^ 0; this idea is used by Jordan |Joj . However, he works with Shimura 
curves, which are compact, and his main interest is at primes of bad reduction. 

Here we have to take the cusps into account, since they do not correspond to elliptic curves. 
Over C, the cusps of X(d) are described in |Sh-ll Lemma 1.42]. We need to know which are 
rational over F p . 

Let <p + {d) denote the number of even Dirichlet characters modulo d (i.e. x{~ 1) = !)• This 
is given by 

O(d) 



(6.5) ^ + {d) 



if d > 2 
<p(d) = 1 if d = 2. 



By orthogonality of characters, we have for any x G Z 

\tp + {d) if x = ±1 (mod d) 
I otherwise. 



(6.6) V xto 



E 

X even 



(This will be needed later on). 

Lemma 6.18. Let d ^ 1 be an integer, p = 1 (mode?) a prime number. All the cusps of X(d) 
are ¥ p -rational, and in particular 

jy(d)i;(d) ifd>2 



\{X(d)-Y{d)){¥ p )\=^(d)m 



\<p{d)iP(d) ifd 



2. 
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Proof. This follows from Theorem 10.9.1 (3) of KaMa] which says (in particular) that the 
cusps of Y(d)/Z[[i d ] are rational over Z[/x d ], and "do not vary" by base change to any Z[/i d ]- 
algebra; heuristically, cusps rational over F p "correspond" to level d structures on the Tate 
curve Tate(q) /F p ((q)) rational over F p ((q)). Since the d-torsion of the latter is isomorphic as 
a Galois module ( |Si-21 V-3]) to 

Z/dZ x fj, d 

and d \ p — 1 so fi d C F* , it is visible that all level d structures on Tate(q) are F p ((g))-rational. 

The number of cusps over C is found in [SOI p. 22], or can be recomputed directly from 
the result in |KaMaj quoted above. □ 

We will now state the trace formula in the form needed. A paper by Fomenko |Fomj should 
include it, but I have not been able to see it. On the other hand, the trace formula for T(d) 
is not easily derived from general accounts: for instance, it does not correspond to an "Eichler 
order", so the arguments in |Mi| Ch. 6], for instance, can not be adapted straightforwardly. We 
can circumvent these difficulties by reducing to the much better known case of Hecke congruence 
subgroups Tq(N), for which we can quote for instance |Mij . |Se-5j or |Haj (among many other 
non-conflicting sources). 

Lemma 6.19. Let d ^ 1 an integer and p = l(mod<i) a prime number. There exists an 
isomorphism of vector spaces 

u : S 2 (r(d))— > S 2 (T (d 2 ), X ) 

X even 

where the direct sum is over all even Dirichlet characters modulo d, S 2 (To(d 2 ),x) is the space 
of weight 2 cusp forms for To(d 2 ) with nebentypus x> which satisfies 

u o T p = T p o u, 

where on the right T p is the direct sum of Hecke operators acting on S 2 (To(d 2 ),x)- 
Proof. We first introduce the congruence subgroups 

r (d, d) = {g= ( a c ^ G SL{2, Z) | b = c = (mod d)}. 

We have T(d) < T (d,d) with quotient {Z/dZ) x . 

The even Dirichlet characters modulo d are extended to characters of Tq (d, d) by 

x(g) = x(d)- 

Then the natural action of To(d,d)/T(d) on S2(T(d)) gives the direct sum decomposition 

5 2 (T(d))= S 2 (T (d,d),x) 

X even 

(for odd X , S 2 (T (d,d), X )=0). 

Since d \ p — 1, we have x(p) = 1 f° r an Y character modulo d, and this implies that T p acting 
on S2{T(d)) is the direct sum of the T p acting on S 2 (To (d, d) , x) (see |Sh-ll 3.5.6]; it amounts 
to the fact that a xip) appears in the explicit formula for T p acting on S 2 (To(d, d), x) but not 
for T p on S 2 (T(d))). 

Moreover To(d, d) is conjug ate to T (d 2 ) in SX(2,R) by 

fd- 1 ' 2 \ fd 1 ' 2 
9 ^ { *P) 9 \ d-^ 2 . 

This induces an isomorphism 

(6-7) S 2 (T (d,d),x)^S 2 (T (d 2 ) jX ) 
given by 

'dVa 

d- 1 / 2 , 
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(where • I2 • denotes the usual weight 2 action of SL(2, Z) on functions). Hence we have an 
isomorphism 

u : s 2 (r(d))-> 5 2 (r (ci 2 ),x). 

X even 

Since T p commutes with the isomorphism ([6.7)1 . as is well known (compare |Mi| 4.6.1]), it is also 
compatible. □ 

Corollary 6.20. Let d 1 be an integer, p = 1 (modcf) a prime number. We have 

TrT p \S 2 (T(d)) = Y, TrT p \S 2 (ro(d 2 ),x), 

X e-uen 

where the sum is over even Dirichlet characters modulo d. 

To state the trace formula for ^(^(d 2 ), x)> we require some further notation. Recall % is an 
even character. 

If O is an order in an imaginary quadratic field, we let H(0) denote its class number, divided 
by half the number of units (i.e. 1 unless O = Z[i], where it's 2, or O = Z[/x 3 ], where it's 3). 
We denote by 0{5) the order with discriminant 5 < 0, and let H(5) = H(0(5)). 

If O C 0(a 2 — 4p) is a sub-order with index /, and N ^ 1, we denote 

(o. 8) ^OmW- y. xW 

x (mod N) 
x 2 -ax+p=0(modN(N,f)) 

(it makes sense). 

Theorem 6.21. Let d ^ 1 be an integer, \ an even Dirichlet character modulo d and p 
I (mod d) a prime number. We have 

TrT p \S 2 (T (d 2 ), X ) = t d ( X ) - U{ X ) ~ t h (x) 

where 

ifx = 1 
otherwise 

a£Z 0C0(a 2 -4p) 
a 2 <4p 

(6-10) ^(x) = ^Z)Z)v((v' C )) x(yc) ' 

where y c is an integer modulo d 2 / ((d 2 / c, c)) such that 

y c = b (mod c) 
y c = p/b (mod d 2 /c). 

Remark 6.22. The notation follows the genesis of these terms, for example in Shimura's formu- 




lation |Sh-2j of the trace formula as a kind of Lefschetz formula for correspondences: td refers 
to the "dual term", as it should be understood as coming from an H 2 , which is non-zero only 
for weight 2 and trivial character; t e refers to the contribution of elliptic elements, and t^ to 
the contribution of hyperbolic elements. There is no parabolic contribution here because we are 
working with T p and p is not a square. 

Proof. Serre |Se-5| 4.1] quotes a general formula for all levels and characters. To deduce the 
form claimed, notice that the term denoted A\ vanishes since p is not a square and the term 
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denoted A$ gives directly td- The term —A3, we claim, is the same as t^. Indeed, we have from 
loc. cit. 



- A 3 = ± £ Inf ^ Pl h ) E * ( ( ^ • c ) ) x(Sc 



b\ P 

where the sum over c is restricted to divisors of d 2 such that 

,,n) (*.),£-» 
<" 2 > (~' c ) 1 T x 

(d x is the conductor of x)- Now first for 6 \ p we have Inf(6,p/6) = 1, and also p/b—b = ±(p— 1) 
Also, for all c I d 2 , we have 



/d 2 \ 

(6.13) (7' c ) |d - 



'rf 2 
c 

Indeed, proceeding locally at each prime £, if d = £ u , and c = with /i ^ 2v, the exponent of 
(d 2 /c, c) is Inf(/i, 2u — fi) ^ v. 

Since d x \ d, and d \ p — 1, this shows that the two restrictions (|6.11j) and (|6.12|) on c are 
satisfied for all c\ d 2 . 

Similarly, the term —A2 in loc. cit. is the same as t e (recall the weight is 2). □ 
Corollary 6.23. Let d ^ 1 an integer, p = 1 (modd) a prime number. We have 

TiT p \S 2 (T(d))=p+l-t e -t h 

where 

te = *e(x) 
X even 

X et>en 

The next observation is elementary but crucial. 

Proposition 6.24. Let d ^ 1 an integer, p = 1 (modd) a prime number. Then th is equal to 
the number of F p -rational cusps of X(d), i.e. ip + {d)ip{d). 

Proof. The point is that the integer y c in (|6.10[) can be chosen, for b \ p and any c\ d 2 , to satisfy 
(6.14) y c = l(modd), 

and since the character x ls modulo d (not d 2 ), we have x{Vc) = 1 for any x- 

To see ()6.14(l . we work locally at all primes I as before. We have b = 1 or b = p: both 
situations are similar, so assume 6 = 1. Then writing l v for the ^-component of d, for that 
of c, [j, ^ 2z^, the conditions on y c are 

jy c = l (mod^) 
\y c =P (modf 2 "-'*). 

We have either /i ^ z/, in which case the first equation implies y c = 1 (mod £^), or 2i/ — /x > j/, in 
which case the second implies y c = p = 1 (mod-P 1 ), since p = 1 (modd). Those local congruences 
patch, proving the claim for 6=1, and 6 = p is symmetric. 

Using (|6.6|) . and the fact that 6=1 and 6 = p have the same contribution, we can now write 
th as 

t h = <p+(d)J2<p((^, c ) 

c\d 2 ° 
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We now use 5 = (d 2 /c, c) as new summation variable. Recall that 5 \ d ()6.13j) . We get 

(6.15) t h = v + {d)Y J V{5)M(S) 

S\d 

where 

M{S) = \{c\ d 2 | (d 2 /c,c) =S}\. 

We work again at each prime i separately, with t v the component of d, t p that of 5. The 
^-component & 1 of c must therefore satisfy 

Inf(/U, 2v — p) = p. 

Given p, there are two choices of p, namely p = p or p = 2v — p (since p ^ u), unless p = v, 
since in this case they coincide. 
It is clear that 

/(d) = J>(a)M(<5) 

8\d 

is multiplicative. Now we compute the value at f using the above: we have 

M(£P) = 2 if p < v 
M{l u ) = 1, 
so 

u-l 
p=0 

= W)- 

Comparing this and (|6.15|) with Lemma 16.181 the proposition is proved. □ 

Remark 6.25. I did not find mention in the literature of this fact that the hyperbolic terms in the 
trace formula "count the cusps" , although that must be well-known. This applies obviously to 
more general subgroups, with corresponding applications to elliptic curves over finite fields using 
their moduli interpretation. It would be interesting to see if there are higher-rank analogues, 
and their consequences. 

Corollary 6.26. Let d 1 an integer, p = 1 (mod d) a prime number. We have 

\Y(d)(F p )\=t e . 

In particular, there exists an elliptic curve E/F p with E[d] C E(F p ) if and only if t e > 0. 
Proof. We have by Proposition 16.241 

\Y(d)(F p )\ = \X(d)(F p )\-t h 

= p + 1 — Tr T p — th (by Theorem I6.17|) 

= p + 1 - (p + 1 - t e - t h ) - t h 

= t e . 

□ 

Because of the average over x> te is a sum of terms each of which is obviously ^ 0. This 
makes it possible to find a criterion to have Y(d)(F p ) ^ (compare |.To| ) . If the formula for t e 
involved any oscillatory sum, it would be much harder to exploit it. 

For a quadratic imaginary order O C 0(a 2 — 4p) with index / we let 

p(0,a,p,d 2 ) = ^2 %(C>«>:P>d 2 )> 

X even 
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and 

fj,(a,p,d 2 ) = n{0{a 2 - ip),a,p,d 2 ). 

From (|6.9|) we have 

(6.16) te = \Yl E H(0)fi(0,a,p,d 2 ). 

aeZ OdO(a 2 ~Ap) 
a 2 <4p 

Lemma 6.27. We have for an order O C 0{a 2 — 4p) of index f 

H{0,a,p,d ) = ^ d 2/( d 2^)) / J o(Q»P»rf./) 

where 

Ho(a,p, d, f) = \{x (modd 2 ) \ x = ±1 (modd) and x 2 — ax + p = (mod d 2 (d 2 , /)).}| 

This is simply the orthogonality relation (|6.6jL We let /j,o(a,p,d) = fio(a,p, d,l). 

Corollary 6.28. Let d ^ 1 be an integer and p = 1 (mod d) a prime number. We have 
Y(d)(F p ) 7^ if and only if there exists an integer a with \a\ < 2^/p such that u(a,p,d) > 0, if 
and only if there exists a with \a\ < 2^fp such that the equation x 2 — ax +p = (modd 2 ) has a 
solution x with x = ±1 (modd). 

Proof. From (|6.16j) . we have t e > if and only if there exists a and O C 0{a 2 — 4p) with 
fi(0,a,p,d 2 ) > 0. But if this condition holds, seeing from the definition that 

H(a,p,d 2 ) ^ n(0,a,p,d 2 ), 

we have /j,(a,p,d 2 ) > also. 

The last statement is a rephrasing of this condition using Lemma 16.271 □ 

We thus need to find a condition on a for the existence of a solution to the system 

(6.17) x = ±l(modd) 

(6.18) x 2 -ax + p = 0(modd 2 ). 

By the chinese remainder theorem, this admits a solution if and only if it does locally at 
every prime i. So we find equivalent conditions for d = t v . First we consider i odd. 

Lemma 6.29. Let I be an odd prime, d = f . The system above admits a solution if and only 
d 2 = l 2u | a 2 - Ap. 

Proof. Let A = a 2 — 4p denote the discriminant of the quadratic equation (|6.18fl . Completing 
the square to rewrite it as 

(6.19) (x - -Y - A = 0(modd 2 ) 



2, 

(since i is odd) shows that there is a solution to (|6,18|) if and only if A is a square modulo d 2 . 
First assume that d 2 \ A. Then reducing modulo d and using p = 1 (modd) we see that 

(6.20) a 2 =4 (mod t) 

which implies a = ±2(mod^) since I is odd. By (IFHTfl) . x = a/2 is thus a root of (IfHsj) 
satisfying x = ±1 (mod^). 

Conversely, assume that the system has a solution x. Reducing (|6.18|) modulo d leads to 
2 — ax = (modd), i.e. x = a/2 (modd) (since x = ±1 (modd)). Let x = a/2 + dy. Using (|6.19|) . 
we have 

A = (x - |) 2 = d 2 y 2 = (mod d 2 ). 

□ 

We now do the same with 1 = 2. 
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Lemma 6.30. Let 1 = 2, d = £ v . The system i6.18\) . \6. 17\ ) above admits a solution if and 
only if a = 2b is even and for some e = ±1 we have 

(b 2 -p=2 2u ~ 2 y (mod2 2u ) and b-e = 2 u - 1 y (mod d), with y = 0,1 (mod 4) if u ^ 2 
1 p + 1 = 26 (mod 4) if v = 1. 

Proof. This is similar to the previous one, although more tedious, and we leave it as an exercise, 
as it will not be used in the sequel. □ 

Remark 6.31. If we write x = 1 + dy in (|6.18|) . we obtain the corresponding equation for y 

p+l-a + dy(2-a) = 0, 

so if d 2 | p+ 1 — a, d \ a — 2, any y (in particular x = 1) is a solution (compare Proposition 16. 7|) . 
However, for composite d other cases are possible. In other words, the a of Theorem 16. 151 is not 
necessarily the same as the a of Proposition 16.71 for instance take p = 241, d = 15. Here a = 8 
satisfies d 2 \ a? — 4p, but p + 1 — a = 234 ^ (mod 225). On the other hand, a = 17 satisfies 
a = 2 (mod d) and p + 1 — a = (mod d 2 ). 

Theorem 16. 151 is a consequence of Corollary 16 . 281 and Lemma l6.29| and also Proposition 16. 1 ll 
One could incorporate Lemma 16.301 to the statement, instead of rephrasing the system of equa- 
tions (|6.17j) . (|6.18j) at 2, but it would be more complicated. 

For d odd, one can further rederive, using (|6.16|) . Theorem 4.9 (i) of |Sc-2j . namely: 

Proposition 6.32. Let p be a prime number, d \ p — 1 an odd integer. The number of isomor- 
phism classes of elliptic curves E/F p with d\(E) ^ d is equal to 



H((a 2 -4p)/d 2 ). 



\a\<2^p 
a=p+l (mod d?) 

Remark 6.33. One can also tackle the question of finding points on Y(d) over finite fields by 
using the Riemann Hypothesis for the curve X(d), namely the inequality 

\N n -(p n + l)\^2g(d)p n / 2 

for n ^ 1, where N n = X(d)(F p n) and g(d) is the genus of X(d). This implies 

\X(d){F pn )\^p n + l-2g{d)p n ' 2 , 

and if p n is large enough compared to d so that this lower bound exceeds the number of cusps, 
it follows that Y(d)(F p n) ^ 0. 

This approach is developed, in greater generality, by Howe |Hoj . For our purpose, we are 
very interested in values of d large compared to p (and in the base field, n = 1). The inequality 
above is then not precise enough. 

Indeed we have 

g(d) = l + dv + (d)lP(d)^ 

(see e.g. |Sh-l| (1.6.4)]), of size about d 3 , while (Lemma |6.18|) the number of cusps is <p + (d)ip{d), 
of size about d 2 , so the condition to ensure Y(d)(F p ) / 0, namely 

p+l-2g(d)^>ip + (d)^d) 

is true roughly speaking for p of size at least cf 6 . This is weaker than Lemma 16.361 below gives 
from Remark l6.13l or Theorem 16.151 
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6.3. Applications. The previous sections give some rather simple criteria for the existence of 
an elliptic curve over a finite field with a given value of d± (E) . We will deduce here some results 
about the possible values of d\{E) for all elliptic curves defined over a given finite field. Let 

D 1 (p) = {d^l | d = d^E) for some E/F p }. 

What can be said about D\(jp)l 

We list some properties previously established: 

• D\(p) is a subset of the set of divisors of p — 1, indeed (|2,13l) a subset of the set 

{d \p- 1 | d < 1}. 

• D\(p) contains 1 and 2. 

• D\(p) is inductive (i.e. if d G D±(p) and e | d, we have e E D\(p), by Proposition 16. 1 1|) . 

We now consider D\(p) on average over primes p, and will describe, in a certain sense, which 
divisors of p— 1 belong to D\{p). It is of particular interest to consider primes p such that p — 1 
has some divisor (i > p 1 / 4 , and see which of those d are in D\(p). 

First we count on average the divisors of p — 1 which are of a certain size. Let 

(6.21) d a (n) = \{d\n\ d< n a }\ 

for n ^ 1 and a > 0. 

We recall the Bombieri- Vinogradov theorem, already mentioned before. 

Theorem 6.34. For any A > there exists B > suc/i i/iai 

> max 7r(A;d, a) 77- <4 7; tttt, 

^ (M)=i' m 1 (logX)^' 

i/te implied constant depending only on A. 

For a proof, see e.g. |Bo| §7]. 
Lemma 6.35. Let a > be a real number. We have 

J2 d »(p-l)=f(a)cX + O c 



X 



logX 



where 

/(«) 

and 



a if0<a^l/2 
(1-q) ifl/2^a^l 
1 if a ^ 1 

„ C(2)C(3) 



C(6) • 

The implied constant depends on a only. In particular, 

E E 

d|p-l 

as X — > +00. 

Proof. This is a (simpler) variant of the proof of 1)3. 4 Jl using the Bombieri- Vinogradov theorem 
and the Brun-Titchmarsh inequality. Indeed, if a = ^, this is a stronger form of (|3.4j) with 
explicit error term (see for instance |Fouj : the proof in |HR1 3.5] gives a slightly worse error 
term X (log log X )/ (log X) ) . 

If a < ^ , we let (3 = 1/a > 2 and write 

Y^d a (p-l)= Yl (^(X;d,l)-7v(d^ + l;d,l)). 

P^X d<(X-l) a 
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Since a < 1, the Brun-Titchmarsh inequality yields 



V?(d)(log(# + l)) logX' 



Moreover, by the Bombieri- Vinogradov Theorem we have 

V K^;rf,i)-^|« 7r 4n 



for any A > 0. Since 



— — — ~ acX as X — > +00, 
wfc?) 

d<(X-l) a ^ y ' 



this proves the first part for a ^ \. 

If ^ < a < 1, we use Dirichlet's trick to switch divisors 

d a (n) = di- a (ri) 

to reduce to 1 — a. Finally, for a ^ 1, d a (n) = d(n), and this is Linnik's theorem (|3.4j) again, 
with error term. 

The last statement follows from the case a = ^, noting that 

£|{d|p-l I y/X ^d^y/X + 1}\=0(VX). 

p<CX 

□ 

Lemma 6.36. Let d ^ 1 be an integer and p = 1 (mode?) a prime number. If 

d < 2p l ' A 

we have d £ Di (p) . 

Proof. This follows from the criterion of Remark 16. 131 for instance. The assumption means 
that 4-y/p > d 2 , hence all a G Z/c? 2 Z have a lift to Z with |a| < 2^/p. In particular, there is 
an a, |a| < 2^/p, with a = p + 1 (mode? 2 ). Since p = 1 (mode?), we have a = 2 (mode?), and by 
Remark EH d G D x (p). 

For odd c?, one can also appeal to Theorem 16 . 1 51 in the same way: a? (mode? 2 ) runs over all 
squares modulo d 2 , and Ap is a square modulo d 2 (since p = 1 (mode?); indeed, if p = 1 + md, 
4p = (2 + md) 2 (mode? 2 )). So there exists a with 4p = a 2 (mode? 2 ), i.e. d 2 \ a 2 — 4p. □ 

Remark 6.37. One can see from the proof that this lemma is essentially best possible, in the 
sense (for instance) that for any 6 > 1/4, there exist p and c? with d < p e and c? L>i(p)- 
This confirms again that the condition that c?i (E) be of size larger than p 1//4 reflects a critical 
threshold in this subject. 



Proposition 6.38. We have 



for X ^ 2, with an absolute implied constant. 

Actually, we will prove a more precise result. As suggested by Lemma 16.361 we partition 
D\{p) in two subsets according to whether e? < 2p 1 ^ or d > 2p 1 l i (there can not be equality); 
call those subsets D s (p) and D((p), respectively. 

We then have: 
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Proposition 6.39. We have 



for X > 2. 

Proposition 6.40. We have 



logX 
for X ^ 2. 

Proposition 16.381 follows immediately. 
Proof of Proposition \6.3fA By Lemma 16.361 we have 

D s (p) = {d\p-l | d< 2p 1 / A ] 
so |-D s (p)| = d 1/4 (p - 1) + <5(p), where 

J(p) = \{d\p-l | (p - 1) 1/4 < d < 2p 1 ^}\. 
By Lemma 16.351 it suffices to show that 

£ £ 1 «io|x- 

P<X d|p-i 

(p-l) 1 / 4 ^d<2p 1 / 4 

This follows as before from the Brun-Titchmarsh inequality, writing 

£ £ 1= £ K^ 4 + i;^i)-^ 4 /i6;d,i)). 

(p-l) 1/4 ^<2p 1/4 

Equivalently, one may simply adapt the proof of Lemma 16.351 for a = 1/4. □ 

Proof of Proposition \6-4U\ By Remark I6.13| we have d £ D% (p) if and only if there exists a £ Z 
with \a\ < 2^/p such that 

J a = 2 (mod d) 

[ a = p + 1 (modd 2 ) 

Notice that p = 1 (modd) is equivalent with a = 2 (modd) if the last congruence holds. 

Now we remark that if d £ Di(p), then such an a is unique: indeed, if a\ and 02 satisfy the 
above conditions, we have a% = a2 (modd 2 ). Since d 2 > A^/p and \ai\ < this is possible 

only if a\ = a-2- 

Therefore we can write 

£i^)i = £ £ £ i- 

p^X p^X\a\<2^p d\p-l 

d 2 \p+l-a 
d 2 >i^/p 

We exchange the order of summation, getting 

£i^(p)i= E EE 1 

P^X d^^/X+1 \a\<2VX P 

a=2 (mod d) 

where the inner sum is over primes p satisfying the size conditions: 

' P X 
p < d 4 /16 
^a 2 /4 < p 
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and the congruence 

p = a — 1 (mod d 2 ), 

in other words 

J2\De(p)\= E E (vr(inf(fJ,X);d 2 ,a-l)-vr(a 2 /4;d 2 ,a-l)). 

P«=X d<-/X+l |a|<2v / X 

a=2 (mod ci) 
2|a|<d 2 

We drop the second term by positivity, and write 



E>/(p)|< E E ^ 4 /16;^ 2 ,a-l) 

P^ d<2XV 4 2 |a|<d 2 

a=2 (mod d) 

+ E E <X;d 2 ,a-l). 

2X 1 / 4 ^VX+1 \a\<2VX 
a=2 (mod d) 

By the Brun-Titchmarsh inequality (|3.25j) . the first term is 



Y E ^ 4 /lM 2 ,a-l)« £ £ 



tp(d 2 ) logd 

d<2Xi/4 2 |a|<d 2 d<2XV4 2 |a|<d 2 

a=2(modd) a=2(modd) 

< hi*- 

For the second term, we further split the range of d into 2X 1 / 4 < d < X 1 / 2 -- 5 and X 1 / 2 " 5 < d < 
\/X + 1, where < 5 < 1/2. For the second range, where d is very large, we simply overcount 
all integers n = a — 1 (mode? 2 ) instead of primes, getting 

£ E -(X ;( i 2 ,a-1)« £ ^x* 

a=2 (mod d) 

« x 1 /^ 35 , 

so if 5 < 1/6, this saves a power of X instead of merely logX. 
Finally, we have again by IJM.25|) 

£ E -(X;d 2 ,a-1)« E E ^ 



w(d 2 )logX 

2XV4^ X i/2-« \ a]<2 ^x 2X1/4^X1/2-* | a |< 2v ^ 

a=2 (mod d) a=2 (mod d) 

x 3 / 2 v 1 

^ logX ^ d 2 f(d) 

2X1/4^X1/2-* ^ V y 

X 



logX 



□ 



Remark 6.41. Here the criterion given by the trace formula could also have been used, but it 
would be slightly more complicated, mainly because of the possible multiplicity of a occurring 
for the same d. 

As a variant, we mention, and leave as an exercise, what happens for elements of D\{p) larger 
than p 1 /^ 9 for some fixed 9 > 0. 
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Proposition 6.42. Let 9 > be a real number. We have 

^\{d^D 1 ( P ) | rf>p^}|« 9 I« 

for X ^ 2, the implied constant depending only on 6. 

We also leave as an exercise the following estimate on the average number of isomorphism 
classes of E/F p with d\{E) ^ 2p 1 ^ (use Proposition 16.321 and the trivial estimate H(A) <C 
A 1 / 2 log A, see e.g. [Coxl Th. 7-24]). 

Proposition 6.43. We have 

£ £ |{£/F P | d 1 ( J E)^4|«X 5 / 4 . 

d[p-l 
2{d 

For comparison, the total number of isomorphism classes of E/F p with p ^ X is ~ X 2 (there 
are p possible j-invariants and, except for cubic and biquadratic twists for j = 0, 1728, two 
isomorphism classes for each j-invariant, see e.g. |Si-ll X-5]). 

Remark 6.44. For heuristic purposes in trying to make guesses about the distribution of outside 
primes for elliptic curves, it is really a lower-bound for |.Dg(p)| that one would like to have on 
average, or more precisely for the quantity in Proposition 16.431 This looks like a fairly hard 
problem: one can see in the proof of Proposition I6.4U1 that it boils down to assertions about the 
equidistribution of primes ^ Y to moduli which are 3> Y 1//2 , and moreover with "initial term" 
a — 1 which vary. The latter constraint, in particular, seems currently incompatible with the 
methods developed by Bombieri, Friedlander and Iwaniec BFl]. 

7. Numerical examples 

The various problems we have considered lend themselves easily to numerical experimentation 
using computer packages for elliptic curves computations. We have used the PARI/GP system 
and written scripts to perform the following computations, for an elliptic curve E/Q given by 
a Weierstrass equation: 

• Compute the invariants d\{jp), c?2(p) at a prime p, and the sum Se(X; d\). Also, find 
the weak outside primes of E which are ^ X, and if the order of the Galois groups Gd 
can be computed, the outside primes ^ X. 

• Compute the multiplicity functions M(n) or m(p), the number of S-twins ^ X and 
more generally the various moments Sk(X), Tk{X). 

The numerical results can be compared to the predictions, when we have some. Especially if 
E is a Serre curve (Section l3.3j) . one can compare S^(X;<ii) with the conjectural asymptotic 

S E {X-d x ) ~ c {E)\i{X). 

The PARI system does not implement (yet) the computation of d\{p) as a primitive function 
although, based on Cohen's description of the Shanks-Mestre algorithm to compute a p ( |C-1| 
7.4.3]), this should be almost as fast as computing a p . However one can write a simple enough 
algorithm by computing the exponent (i.e. did-z) of E p (F p ) by looking for an element of maximal 
order, either by "exhaustion" or more efficiently (as suggested by K. Belabas) by picking up a 
few "random" points on E p (F p ) and taking the l.c.m of their orders. 9 Moreover, for primes p 
with |i£p(Fp)| squarefree, one has d\{p) = 1 without further computations, and this happens 
quite often if the curve has no non-trivial rational 2-torsion points. 

9 In the computations below, this was done with 20 random points, so in theory the results might be off by 
a small amount. However, it is easy to repeat the computations for the primes yielding "large" values of di(j>), 
thus ensuring their correctness. 
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Computing elliptic twins is even simpler, and the computation of the sums 

S k (X) = M (n) k 



n<X 



can be performed using very little memory by operating by blocks of n. Numerically, M(n) is 
always very small so Sk(X) is very close to Tf.—i(X) (compare (|4.14|l ). Also we computed the 
modified first moment 

S'(X) = M ^)- 



n twin value 



Note that we have obviously 
(see gSJ for J{X)). 



S'(X) = J(X) + 0(VX 



7.1. The test curves. We used two non-CM curves, which are Serre curves, and one CM 
curve. Here are their id-sheets: 

Example 7.1. Consider the curve (see |S^H 5.9.2], [CTJ I §7]) 

E : y 2 = x 3 + 6x - 2 

with j(E) = 2 9 3, discriminant -2 6 3 5 , conductor 1728. It has rank 0. By jCTJ Th. 7.1], this 
curve is a Serre curve and m = 3 in this case. 
Using Corollary 13.131 1)3.20(1 . we have 

d(E) 5461 



5425 10066 - 
c{E) = c{E)c = 1.2668... 



(7.1) 

Example 7.2. Consider the curve (see jSe-lL 5.5.6]) 

F : y 2 + y = x 3 — x 

with j(F) = 2 12 3 3 /37, discriminant 37, conductor 37. It has rank 1, the point (0,0) being of 

infinite order. It is also a Serre curve and m = 37. (It is also studied by Mazur and Swinnerton- 

Dyer in jHSE])- 

Using Corollary I3.13[ we have 

;/ , 1732338101 

c'(F) = = 1.000003 . . . 

v ; 1732332625 

(7.2) c(F) = c'(F)c = 1.2584... 

(the value of c(F) differs from cq by less than 10 -5 ). 

Example 7.3. The last curve is the CM curve (|3.23|) of Example 13.161 namely 

A : y = x — x, 
(with CM by Z[i]). The expected behavior is now 

SA(X;d!) ~ c(A)X 

with c(A) given by (|3.16jl . 

7.2. Numerical examples: the elliptic splitting problem. We now give a few examples 
of computations of averages of d\. Here are some experimental data for p ^ 60, 000, 000, for the 
curves E and F of Examples 17.11 and 17.21 



X 


n(X) 


S E (X;dt) 


Ratio 


S F (X;d!) 


Ratio 


100,000 


9592 


11945 


1.24530 


11944 


1.24520 


500,000 


41538 


52418 


1.26192 


51969 


1.25111 


1,000,000 


78498 


99144 


1.26301 


98465 


1.25436 
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5,000,000 


348513 


440751 


1.26466 


438079 


1.25699 


10,000,000 


664579 


841232 


1.26581 


835662 


1.25743 


15,000,000 


970704 


1229075 


1.26616 


1220393 


1.25722 


20,000,000 


1270607 


1608929 


1.26626 


1597802 


1.25751 


30,000,000 


1857859 


2352704 


1.26635 


2336778 


1.25778 


40,000,000 


2433654 


3081940 


1.26638 


3061994 


1.25818 


kc\ nnn nnn 

ou,uuu,uuu 


Qnni i Q/i 
oUUllo4 


ooUUU / 


1.ZDDZ1 


oil 0041 


l.zooU ( 


60,000,000 


3562115 


4510928 


1.26636 


4480730 


1.25788 



The agreement with the expected behavior seems quite good, but it should be noticed that 
only values of d (in the sense of <|3.2JI ) which are fairly small actually occur in this range. In 
accordance with (|7.1j) and (|7.2|) . the sum for E tends to be slightly larger than that for F. 

All outside primes ^ 300, 000, 000 were computed. It turns out that there are very few of 
them. Here is the complete list, indicating the prime p, the value of d\{p) and the order of the 
Galois group Gd 



p 


di(E,p) 


\G d \ 


196561 


140 


92897280 


4095037 


162 


76527504 


13403893 


114 


17729280 


30626899 


106 


46433088 


53629561 


184 


410370048 


54460963 


258 


480598272 


76391737 


172 


320398848 


132576571 


127 


258080256 


138085949 


143 


345945600 


145030393 


312 


966131712 



There are 20 additional weak outside primes, for instance p = 779761 with d\{p) = 36 = p' 
with a = 0.26. . . 

The impact of the single very large value of d\ at p = 196561 is quite noticeable: we have 



X 


S E {X;d x ) 


tt(X) 


Ratio 


196560 


22218 


17700 


1.2552 


196561 


22358 


17701 


1.2630 



In another direction, here is a table listing, for those d ^ 140 for which at least one p ^ 
3,000,000 splits completely in Q(E[d]), how many do: irx(E; d, 1) is in the second row, the 
third is the ratio tt(X)/tte(X; d, 1), for comparison with \Gd\- 



d 


2 


3 


4 


5 


6 


7 


Number 


13032 


1624 


783 


164 


502 


28 


Ratio 


6.0223 


48.335 


100.25 


478.63 


156.36 


2803.4 


\G d \ 


6 


48 


96 


480 


144 


2016 


d 


8 


9 


10 


11 


12 


13 


Number 


40 


17 


33 


7 


28 


4 


Ratio 


1962.4 


4617.4 


2378.6 


11213. 


2803.4 


19624. 


\G d \ 


1536 


3888 


2880 


13200 


2304 


26208 


d 


14 


15 


16 


17 


18 


19 


Number 


6 


2 


1 


1 


8 


1 


Ratio 


13082. 


39248. 


78496. 


78496. 


9812.0 


78496 


\G d \ 


12096 


23040 


24576 


78336 


11664 


123120 


d 


20 


21 


23 


24 


28 


30 


Number 


1 


1 


2 


2 


1 


1 


Ratio 


78496. 


78496. 


39248. 


39248. 


78496. 


78496. 
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\GA 


46080 


96768 


267168 


36864 


193536 | 69120 


i 

a 


35 


36 


70 


140 




Number 


1 


1 


1 


1 




Ratio 


78496. 


78496. 


78496. 


78496. 






967680 


186624 


5806080 


92897280 




ere is the table listing the outside primes ^ 300, 000, 000. 






V 


di(F,p) 








8317 


11 


13200 






63317 


22 


79200 






657493 


44 


1267200 




1258667 


37 


1822176 




11019023 


98 


29042496 



One can see again that those p for which d\(jp) is large have an important effect; here we have 



X 




vr(X) 


Ratio 


63313 


7849 


6343 


1.2374 


63317 


7871 


6344 


1.2407 


657491 


66953 


53378 


1.2543 


657493 


66997 


53379 


1.2551 



Here is the table of the number of primes p ^ 3, 000, 000 which split in Q(F[d]) for 2 ^ d ^ 44 
(those d for which no p splits are omitted): 



d 


2 


3 


4 


5 


6 


Number 


13034 


1645 


790 


152 


268 


Ratio 


6.0224 


47.718 


99.363 


516.42 


292.89 


\G d \ 


6 


48 


96 


480 


288 


d 


7 


8 


9 


10 


11 


Number 


30 


56 


15 


22 


10 


Ratio 


2616.5 


1401.7 


5233.1 


3568.0 


7849.7 


\G d \ 


2016 


1536 


3888 


2880 


13200 


d 


12 


13 


14 


15 


16 


Number 


16 


2 


4 


2 


4 


Ratio 


4906.0 


39248. 


19624. 


39248. 


19624. 


\Gd\ 


4608 


26208 


12096 


23040 


24576 


d 


21 


22 


24 


44 




Number 


1 


3 


2 


1 




Ratio 


78497. 


26165. 


39248. 


78497. 




\Gd\ 


96768 


79200 


73728 


1267200 





For the CM curve A of Example 17. 3( we get the following for p ^ 30, 000, 000, where we 
compare Sa(X; d\) with X in the last column: 



X 


S A (X;di) 


Ratio 


10000 


5410 


0.5410 


100000 


55578 


0.5558 


500000 


267450 


0.5349 


1000000 


529742 


0.5297 


5000000 


2633630 


0.5267 


10000000 


5274876 


0.5275 


15000000 


7839124 


0.5226 


20000000 


10386178 


0.5193 


25000000 


13027268 


0.5211 



30000000 | 15665348 | 0.5222 
The expected linear growth of Sg(X;cLi) seems also apparent. 

7.3. Numerical examples: elliptic twins. Motivated by the rough heuristic of Section f4.31 
for non-CM curves we compare S'(X) with 10 

li 2 ( x ) = [ X -^-^ = li(x) - li(2) - + 

h (log*) 2 V 7 K ' logx log2 

The first table lists some values of X, S'(X) and S'{X)/\\2{X) for the curves E and F, for 
X < 10 8 . 



X 


S' E (X) 


S' E (X)/]i 2 (X) 


S' F (X) 


S' F (X)/li 2 (X) 


1000 


32 


0.9226 


29 


0.8361 


10000 


133 


0.8198 


154 


0.9492 


100000 


1110 


1.1736 


1062 


1.1229 


1000000 


7364 


1.1788 


7349 


1.1764 


5000000 


29583 


1.2079 


29045 


1.1860 


10000000 


54036 


1.2143 


52734 


1.1850 


20000000 


98582 


1.2136 


97226 


1.1969 


40000000 


181587 


1.2197 


178934 


1.2018 


60000000 


259489 


1.2206 


255478 


1.2018 


80000000 


333974 


1.2193 


329150 


1.2017 


99980000 


407033 


1.2205 


401293 


1.2033 



Next we list the multiplicities M(n) occurring for twin values n: in this range, M(n) ^ 5, 
and the number of integers with a given M(n) = k > 1 is as follows: 



k 


2 


3 


4 


5 


E 


194197 


5982 


167 


5 


F 


191817 


5685 


146 


4 



The values of n ^ 10 8 with Mg(n) = 5 are 

n G {13269240, 14469576, 20024896, 52472068, 64703760} 
and those with Mp{n) = 5 are 

n £ {5597128,64220836,85004608,86998320}. 
To compare with (|4.16|) . note that 

logx __ J 5.7980 for x = 10 7 
log log x ~ 1 6.3225 forx = 10 8 . 

Because of the very small number of n with M(n) > 2, j(X) (see (|4.4|l ) is almost equal to 
^S'(X). In particular, the numerical data seems to confirm (|4. 15|) for E and F. 

We now consider the CM curve A/Q. Of course, the field of definition does not contain the 
CM field, as assumed in Section [3 However, it is very simple to adapt the arguments there to 
this case. 

For supersingular p, i.e. p = 3 (mod 4), we have n p = p + 1; in particular if we write 

M(n) = M (n) + M s (n), 

where M Q (n) (resp. M s (n)) is the number of ordinary primes p with n p = n (resp. supersingular 
primes), it follows that M s (n) = or 1 according to whether n — 1 is prime = 3 (mod 4) or not 
(note that n p = (mod 4) for all p since A[2] C ^4(Q), so n p — 1 = 3 (mod 4) for all p). 



'As usual, this gives a much better approximation than X/(logX) 2 . 
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We thus get the bound 

(7.3) M(n) < 1 + -r(n) 

instead of l|5.4|) . 

To estimate Sfc(X), write 

S fc (X) = Y, (M (n) + M s (n)) k 

n<^X 

= E (*) E M s (n) fc ^M (n)^' 
i=o v/ 

since M s (n) fc ~- ? ^ 1, where S j(X) is the j-th moment of M (n). To the latter sum, we can 
clearly apply the arguments used in Section El verbatim, and deduce 

S oJ (X) <j ^logX)^" 1 ^ 6 with p(j) = 2 j -j -2, for any e > 

hence we have: 

Proposition 7.4. For all k ^ and 1 > 2 we /iaue 

« £ X(logX)' 3 ( fc - 1 )+ £ for k ^ 1 

r fc (x)« £ x(iogX)^ fc )+ £ , 

with (3(k) = 2 k — k — 2 for any e > 0, the implied constant depending only on k and e. 

Computations were performed for p ^ 20, 000, 000. Here is a table with values of j(X), S'(X) 
and of the ratio S"(X)/li(X): 



X 


s' A (x) 


S' A (X)/li(X) 




1000 


67 


0.37723 


27 


10000 


486 


0.39000 


187 


100000 


3693 


0.38349 


1430 


1000000 


29068 


0.36969 


11052 


5000000 


126445 


0.36268 


47674 


7500000 


182930 


0.35975 


68842 


10000000 


238563 


0.35878 


89693 


12500000 


292994 


0.35778 


110021 


15000000 


346590 


0.35692 


130095 


17500000 


399567 


0.35624 


149871 


20000000 


451562 


0.35530 


169294 



Here is a table with values of S2{X) et S 3 {X), compared with li(X) and X respectively: 



X 


S 2 (X) 


S 2 (X)/li(X) 


S 3 (X) 


S 3 (X)/X 


100000 


16757 


1.7401 


43637 


0.43637 


500000 


73154 


1.7582 


198966 


0.39793 


1000000 


138492 


1.7613 


384224 


0.38422 


2500000 


323992 


1.7680 


919320 


0.36772 


5000000 


618660 


1.7745 


1786380 


0.35727 


7500000 


902363 


1.7746 


2635021 


0.35133 


10000000 


1180791 


1.7758 


3469855 


0.34698 
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12500000 


1454892 


1.7766 


/( o o p" oo o 

4285228 


0.34281 


15000000 


1724899 


1.7763 


5098883 


0.33992 


1 7500000 


1992562 


1.7765 


5897698 


33701 


20000000 


2258677 


1.7772 


6714287 


0.33571 



Here is the table of values > 1 taken by M(n) in this range (those k for which no n satisfies 
M(n) = k are omitted): 



2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


106007 


37191 


14291 


6123 


2835 


1360 


670 


386 


195 


108 


12 


13 


14 


15 


16 


17 


18 


19 


20 


24 


60 


33 


13 


9 


7 


1 


2 


1 


1 


1 



The n with M(n) = 24 is n = 12818000. Notice that n = 2 4 • 5 3 • 13 • 17 • 29, each prime / 2 
being (of course) a sum of two squares. We have r(n) = 32 in this case. In practice, it is quite 
easy to find rather large multiplicities without constructing a complete table: take an integer n 
divisible by 4 (because A[2] C A(Q)) and with many prime factors = 1 (mod 4) so that r(n) is 
large, and look at the primes p, n~ ^ p ^ n + , for those with n p = n. 

For comparison, the integers n ^ 10 8 with M E (n) = 5 or Mp(n) = 5 factorize as follows: 

13269240 = 2 3 • 3 2 • 5 • 29 • 31 • 41, 14469576 = 2 3 • 3 • 11 • 23 • 2383, 

20024896 = 2 6 • 139 • 2251, 52472068 = 2 4 • 11 • 37 • 167 • 193, 

64703760 = 2 4 • 3 • 5 • 11 • 24509, 5597128 = 2 3 • 699641, 

64220836 = 2 2 • 19 • 491 • 1721, 85004608 = 2 6 • 13 • 71 • 1439 . 86998320 = 2 4 • 3 3 • 5 • 40277, 

the prime factors exhibiting no obvious property (?). 

8. Conclusion 

The many questions raised in this paper seem very hard to attack, but on the other they seem 
to be very interesting from the point of view of analytic number theory. Given the extensive 
experience with the distribution of primes in arithmetic progressions to large moduli, and the 
(much more modest) first results for CM curves obtained here, one would like to have some kind 
of sieve method available for the non-CM curves: roughly speaking, sieve is powerful because it 
exploits the embedding of primes inside the integers, and because the divisibility of integers by 
a given d ^ 1 can be used to recover primes by inclusion-exclusion, so some of the regularity of 
the distribution of integers can be exploited. 

For a non-CM curve E/Q, the function d\{p) has no obvious interpretation as the restriction 
to primes of an arithmetic function defined for all n, whereas if E/Q has CM, d\{p) is 6(7r — 1), 
where ir is the Frobenius at p and b(a) is defined for any a 6 End(-E') as the largest integer 
b £ Z with (b) | (a). 11 

Also, despite the fact that the modularity of elliptic curves would seem to provide a "dual 
view" , similar to that of Dirichlet characters instead of 1-dimensional Galois representations, it 
is really the Artin L-functions attached to the fields K(E[d])/K which are of importance. Those 
can have rank as large as d (roughly), which makes all current analytic techniques incapable 
of dealing with them, individually or on average, even assuming the Artin conjecture, or that 
they are automorphic L-functions. 

Thus it seems much work is required to understand those analytic problems. As for arithmetic 
progressions however, where the stumbling block of the Riemann Hypothesis has often been 
circumvented by startling new results (Linnik's dispersion method, the Bombieri- Vinogradov 

n The results of Duke and Toth f|D"Tj1 can be used to "lift" the Frobenius on E p to a matrix in M(2, Z), 
well-defined up to GI/(2)-conjugacy, which reduced modulo d gives the action of a v on Q(E[d]) for any d (prime 
to the discriminant). But I do not see how to isolate the conjugacy classes of this type; the set of all matrices is 
too big to give information on a single elliptic curve. 
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theorem, the results of Bombieri-Friedlander-Iwaniec, etc.), one may hope that there is much 
to discover. 
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